@remix_labs/mixc-starter
start the compiler in a web worker
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Webpack chunk loader pattern; not arbitrary user-controlled input. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Filters process.env for debug_ keys — standard debug library pattern, not exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard encoding switch-case handler, not obfuscated payload decoding. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get inside a Proxy trap — idiomatic JS, not evasion. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Webpack globalThis polyfill boilerplate; stable across versions. | ai | |
| phantom-deps | phantom-dep:@remix_labs/hub-client | AI (phantom-deps): Same-org dep; may be used indirectly via the bundled worker files. | ai |
Versions (showing 13 of 413)
| Version | Deps | Published |
|---|---|---|
| 2.6186.0 | 1 / 0 | |
| 2.6184.0 | 1 / 0 | |
| 2.6182.0 | 1 / 0 | |
| 2.6180.0 | 1 / 0 | |
| 2.6173.0 | 1 / 0 | |
| 2.6171.0 | 1 / 0 | |
| 2.6161.0 | 1 / 0 | |
| 2.6151.0 | 1 / 0 | |
| 2.6131.0 | 1 / 0 | |
| 2.6123.0 | 1 / 0 | |
| 2.6121.0 | 1 / 0 | |
| 2.6118.0 | 1 / 0 | |
| 2.6115.0 | 1 / 0 |
v2.6186.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6184.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6182.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6180.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6173.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6171.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6161.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6151.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6131.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6123.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6121.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6118.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6115.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.