@types/three
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/webxr | AI (phantom-deps): @types/three is a type definitions package; dependencies are referenced in .d.ts files for type resolution, not directly imported in JS. Phantom-dep rule does not apply meaningfully here. | ai | |
| phantom-deps | phantom-dep:meshoptimizer | AI (phantom-deps): Type definitions package; meshoptimizer types are referenced in .d.ts declarations, not directly imported. Expected pattern for @types/three. | ai | |
| phantom-deps | phantom-dep:@types/stats.js | AI (phantom-deps): Type definitions package; @types/stats.js is a type dependency referenced in declarations, not a direct JS import. Expected pattern. | ai | |
| phantom-deps | phantom-dep:@tweenjs/tween.js | AI (phantom-deps): Type definitions package; tween.js types are referenced in .d.ts declarations for three.js animation utilities. Expected pattern. | ai | |
| phantom-deps | phantom-dep:@dimforge/rapier3d-compat | AI (phantom-deps): Type definitions package; rapier3d-compat types are referenced in .d.ts declarations for three.js physics integration. Expected pattern. | ai | |
| phantom-deps | phantom-dep:fflate | AI (phantom-deps): fflate is a legitimate three.js compression dependency; phantom-dep detection is not meaningful for type definition packages. | ai | |
| provenance | no-provenance | AI (provenance): DefinitelyTyped packages published via the `types` publisher do not use Sigstore provenance; this is a stable, well-known publisher with 11,092 approvals and 0 rejections. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 0.184.1 | 6 / 0 | |
| 0.184.0 | 6 / 0 | |
| 0.183.1 | 7 / 0 | |
| 0.183.0 | 7 / 0 | |
| 0.182.0 | 7 / 0 | |
| 0.181.0 | 7 / 0 | |
| 0.180.0 | 7 / 0 | |
| 0.179.0 | 7 / 0 | |
| 0.178.1 | 7 / 0 | |
| 0.178.0 | 7 / 0 | |
| 0.177.0 | 7 / 0 |
v0.184.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.184.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.183.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.183.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.182.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.181.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.180.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.179.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.178.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.178.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.177.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.