@tscircuit/core — Greenflagged

The core logic used to build Circuit JSON from tscircuit React elements.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

seveibar

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	url-dep:@tscircuit/jlcpcb-manufacturing-specs	AI (npm-metadata): SHA-pinned dep is in devDependencies pointing to same org; not included in published dist, stable pattern for this package.	ai	2026/05/26
phantom-deps	phantom-dep:@flatten-js/core	AI (phantom-deps): Declared dependency used in config; stable pattern for this package.	ai	2026/05/23
dependencies	unvetted-dep:calculate-cell-boundaries	AI (dependencies): Fits tscircuit geometry utility pattern; publisher has strong track record and this is a domain-appropriate dep.	ai	2026/05/18
dependencies	unvetted-dep:react-reconciler-18	AI (dependencies): react-reconciler-18 is a version alias for [email protected], a standard React dual-version support pattern for this package.	ai	2026/04/28
phantom-deps	phantom-dep:nanoid	AI (phantom-deps): nanoid is declared and used; phantom-dep rule is a false positive for config-referenced dependencies.	ai	2026/04/26
phantom-deps	phantom-dep:performance-now	AI (phantom-deps): performance-now is declared and used; phantom-dep rule is a false positive for config-referenced dependencies.	ai	2026/04/26
typosquat	typosquat.levenshtein:cors	AI (typosquat): @tscircuit/core is a scoped package in the tscircuit ecosystem (circuit design framework), not a typosquat of 'cors'. The name similarity is purely coincidental; no brand impersonation.	ai	2026/04/25
dependencies	unvetted-dep:transformation-matrix	AI (dependencies): Matrix transformation library; appropriate for 2D coordinate transforms in circuit layout.	ai	2026/04/25
dependencies	unvetted-dep:@lume/kiwi	AI (dependencies): Legitimate constraint-solving library appropriate for circuit layout; no security concerns.	ai	2026/04/25
dependencies	unvetted-dep:format-si-unit	AI (dependencies): Small utility for SI unit formatting; appropriate for electronics tooling.	ai	2026/04/25
dependencies	unvetted-dep:@flatten-js/core	AI (dependencies): Geometry library for 2D operations; appropriate for circuit/PCB layout.	ai	2026/04/25
dependencies	unvetted-dep:calculate-packing	AI (dependencies): Packing algorithm library; appropriate for component placement in circuit design.	ai	2026/04/25
dependencies	unvetted-dep:svg-path-commander	AI (dependencies): SVG path manipulation library; appropriate for circuit-to-SVG rendering.	ai	2026/04/25

Versions (showing 100 of 784)

Version	Deps	Published
0.0.1220	12 / 56	2026-05-05
0.0.1219	12 / 56	2026-05-05
0.0.1218	12 / 56	2026-05-05
0.0.1217	11 / 56	2026-05-05
0.0.1216	11 / 56	2026-05-05
0.0.1215	11 / 56	2026-05-03
0.0.1214	11 / 56	2026-05-03
0.0.1213	11 / 56	2026-05-02
0.0.1212	11 / 56	2026-05-01
0.0.1211	11 / 56	2026-05-01
0.0.1210	11 / 56	2026-05-01
0.0.1209	11 / 56	2026-04-29
0.0.1208	11 / 56	2026-04-29
0.0.1207	11 / 56	2026-04-29
0.0.1206	11 / 56	2026-04-29
0.0.1205	11 / 56	2026-04-28
0.0.1204	11 / 56	2026-04-28
0.0.1203	11 / 56	2026-04-28
0.0.1202	11 / 56	2026-04-28
0.0.1201	11 / 56	2026-04-28
0.0.1200	11 / 56	2026-04-27
0.0.1199	11 / 56	2026-04-27
0.0.1198	11 / 56	2026-04-26
0.0.1197	11 / 56	2026-04-26
0.0.1196	11 / 56	2026-04-25
0.0.1195	11 / 56	2026-04-25
0.0.1194	11 / 56	2026-04-25
0.0.1193	11 / 56	2026-04-24
0.0.1192	11 / 56	2026-04-24
0.0.1191	11 / 56	2026-04-24
0.0.1190	11 / 56	2026-04-24
0.0.1189	11 / 56	2026-04-24
0.0.1188	11 / 56	2026-04-24
0.0.1187	11 / 56	2026-04-23
0.0.1186	11 / 56	2026-04-23
0.0.1185	11 / 56	2026-04-23
0.0.1184	11 / 56	2026-04-23
0.0.1183	11 / 56	2026-04-23
0.0.1182	11 / 56	2026-04-22
0.0.1181	11 / 56	2026-04-22
0.0.1180	11 / 56	2026-04-21
0.0.1179	11 / 56	2026-04-21
0.0.1178	11 / 56	2026-04-21
0.0.1177	11 / 56	2026-04-21
0.0.1176	11 / 55	2026-04-20
0.0.1175	11 / 55	2026-04-20
0.0.1174	11 / 55	2026-04-19
0.0.1173	11 / 55	2026-04-19
0.0.1172	11 / 55	2026-04-19
0.0.1171	11 / 55	2026-04-18
0.0.1170	11 / 55	2026-04-18
0.0.1169	11 / 55	2026-04-18
0.0.1168	11 / 55	2026-04-17
0.0.1167	11 / 55	2026-04-16
0.0.1166	11 / 55	2026-04-16
0.0.1165	11 / 55	2026-04-15
0.0.1164	11 / 55	2026-04-15
0.0.1163	11 / 55	2026-04-14
0.0.1162	11 / 55	2026-04-14
0.0.1161	11 / 55	2026-04-14
0.0.1160	11 / 55	2026-04-14
0.0.1159	11 / 55	2026-04-14
0.0.1158	11 / 55	2026-04-14
0.0.1157	11 / 55	2026-04-13
0.0.1156	11 / 55	2026-04-13
0.0.1155	11 / 55	2026-04-12
0.0.1154	11 / 55	2026-04-11
0.0.1153	11 / 55	2026-04-10
0.0.1152	11 / 55	2026-04-10
0.0.1151	11 / 55	2026-04-10
0.0.1150	11 / 55	2026-04-10
0.0.1149	11 / 55	2026-04-09
0.0.1148	11 / 55	2026-04-09
0.0.1147	11 / 55	2026-04-09
0.0.1146	11 / 55	2026-04-09
0.0.1145	11 / 55	2026-04-09
0.0.1144	11 / 55	2026-04-09
0.0.1143	11 / 55	2026-04-09
0.0.1142	11 / 55	2026-04-07
0.0.1141	11 / 55	2026-04-06
0.0.1140	11 / 55	2026-04-06
0.0.1139	11 / 55	2026-04-06
0.0.1138	11 / 55	2026-04-06
0.0.1137	11 / 55	2026-04-05
0.0.1136	11 / 55	2026-04-04
0.0.1135	11 / 55	2026-04-04
0.0.1134	11 / 55	2026-04-04
0.0.1133	11 / 55	2026-04-03
0.0.1132	11 / 55	2026-04-03
0.0.1131	11 / 55	2026-04-03
0.0.1130	11 / 55	2026-04-02
0.0.1129	11 / 55	2026-04-02
0.0.1128	11 / 55	2026-03-30
0.0.1127	11 / 55	2026-03-30
0.0.1126	11 / 55	2026-03-28
0.0.1125	11 / 55	2026-03-27
0.0.1124	11 / 55	2026-03-27
0.0.1123	11 / 55	2026-03-24
0.0.1122	11 / 55	2026-03-24
0.0.1121	11 / 55	2026-03-23

Showing 100 of 784 Next page →

v0.0.1220

2 findings

HIGH SHA-pinned github dependency (devDependencies): @tscircuit/jlcpcb-manufacturing-specs npm-metadata

Dependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.