ajv-dist
Another JSON Schema Validator: browser bundles
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/ajvJTD.bundle.js | AI (source-diff): Standard browserify UMD bundle for AJV JTD validator. 'Network' detection is a false positive on UMD env detection; dynamic code execution is AJV's schema compilation feature. No actual network calls present. | ai | |
| source-diff | net-exec-file:dist/ajvJTD.min.js | AI (source-diff): Minified browserify UMD bundle for AJV JTD validator. Same false positive pattern as the bundle file — UMD env detection + AJV's dynamic schema compilation, not malware. | ai | |
| source-diff | net-exec-file:dist/ajv2019.min.js | AI (source-diff): Minified UMD bundle of AJV 2019; same pattern as bundle.js — AJV's CodeGen uses dynamic function construction by design, not malware. | ai | |
| source-diff | net-exec-file:dist/ajv2019.bundle.js | AI (source-diff): ajv-dist ships UMD browser bundles of AJV; dynamic code execution is AJV's legitimate compiled-validator pattern (new Function). No actual network fetch or dropper behavior present. | ai | |
| source-diff | net-exec-file:dist/ajv7.bundle.js | AI (source-diff): UMD browser bundle of AJV v7; dynamic code execution is AJV's legitimate compiled-validator pattern. No dropper/loader behavior. | ai | |
| source-diff | net-exec-file:dist/ajv7.min.js | AI (source-diff): Minified UMD bundle of AJV v7; same pattern — AJV CodeGen uses dynamic function construction by design, not malware. | ai | |
| source-diff | net-exec-file:dist/ajv2020.min.js | AI (source-diff): Minified UMD browser bundle of AJV library. Same false positive pattern as bundle.js — AJV's CodeGen utilities trigger the rule without any malicious behavior. | ai | |
| source-diff | net-exec-file:dist/ajv2020.bundle.js | AI (source-diff): Standard UMD browser bundle of AJV library. Code generation utilities in AJV trigger false positive; no actual malicious network calls or dropper behavior present. | ai | |
| bogus-package | bogus-package | AI (bogus-package): ajv-dist is a legitimate browser bundle distribution package; no runtime deps and minimal README are expected for a dist-only package. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 8.17.1 | 0 / 0 | |
| 8.16.0 | 0 / 0 | |
| 8.14.0 | 0 / 0 | |
| 8.13.0 | 0 / 0 | |
| 8.12.0 | 0 / 0 | |
| 8.11.2 | 0 / 0 | |
| 8.11.1 | 0 / 0 | |
| 8.11.0 | 0 / 0 | |
| 8.10.0 | 0 / 0 | |
| 8.9.0 | 0 / 0 | |
| 8.8.2 | 0 / 0 | |
| 8.8.1 | 0 / 0 | |
| 8.8.0 | 0 / 0 | |
| 8.7.1 | 0 / 0 | |
| 8.7.0 | 0 / 0 | |
| 8.6.1 | 0 / 0 | |
| 8.6.0 | 0 / 0 | |
| 8.5.0 | 0 / 0 | |
| 8.4.0 | 0 / 0 | |
| 8.3.0 | 0 / 0 | |
| 8.2.0 | 0 / 0 | |
| 8.1.0 | 0 / 0 | |
| 8.0.5 | 0 / 0 | |
| 8.0.4 | 0 / 0 | |
| 8.0.3 | 0 / 0 | |
| 8.0.2 | 0 / 0 | |
| 8.0.1 | 0 / 0 | |
| 8.0.0 | 0 / 0 | |
| 7.2.4 | 0 / 0 | |
| 7.2.3 | 0 / 0 | |
| 7.2.2 | 0 / 0 | |
| 7.2.1 | 0 / 0 | |
| 7.2.0 | 0 / 0 | |
| 7.1.1 | 0 / 0 | |
| 7.1.0 | 0 / 0 | |
| 7.0.4 | 0 / 0 | |
| 7.0.3 | 0 / 0 | |
| 7.0.2 | 0 / 0 | |
| 7.0.1 | 0 / 0 | |
| 7.0.0 | 0 / 0 | |
| 6.10.0 | 0 / 0 |
v8.17.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.