@renovatebot/pgp
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by newly added .NET and TeaVM WASM runtime artifacts from build:dotnet and build:java scripts. | ai | |
| source-diff | net-exec-file:dist/dotnet/_framework/dotnet.native.js | AI (source-diff): Emscripten-generated .NET native WASM loader; network+exec pattern is inherent to WASM module loading. | ai | |
| source-diff | net-exec-file:dist/dotnet/_framework/dotnet.runtime.js | AI (source-diff): Official .NET Foundation WASM runtime; network+exec pattern is inherent to WASM module loading. | ai | |
| source-diff | net-exec-file:dist/teavm/lib.wasm-runtime.js | AI (source-diff): Apache-licensed TeaVM WASM runtime; network+exec pattern is inherent to WASM module loading. | ai | |
| source-diff | obfuscated-file:dist/dotnet/_framework/dotnet.js | AI (source-diff): Official .NET Foundation WASM runtime bundle; minification is expected for this artifact. | ai | |
| source-diff | obfuscated-file:dist/dotnet/_framework/dotnet.runtime.js | AI (source-diff): Official .NET Foundation WASM runtime bundle; minification is expected for this artifact. | ai | |
| source-diff | encoded-string-file:dist/teavm/lib.js | AI (source-diff): Encoded strings are EC curve constants and OIDs in a TeaVM-compiled PGP crypto library — expected and stable. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped under @renovatebot org; no relation to 'yup' validation library. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped under @renovatebot org; PGP library unrelated to the 'pg' postgres package. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 1.3.12 | 0 / 15 | |
| 1.3.11 | 0 / 15 | |
| 1.3.10 | 0 / 15 | |
| 1.3.9 | 0 / 15 | |
| 1.3.8 | 0 / 15 | |
| 1.3.7 | 0 / 15 | |
| 1.3.6 | 0 / 15 | |
| 1.3.5 | 0 / 15 | |
| 1.0.2 | 0 / 12 | |
| 1.0.1 | 0 / 12 |
v1.3.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.11
2 findingsModified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.10
2 findingsModified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.9
2 findingsPackage name '@renovatebot/pgp' is 1 edit(s) away from popular package 'pg'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.8
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.7
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.6
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.5
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.