filestack-js — Greenflagged

Official JavaScript library for Filestack

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

filestack-dev

Keywords

filestackfilepickeruploadfilesmultipartS3transformcropperdocument viewerimagesimage processingfile managementuniversalisomorphic

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is used solely to read the package's own package.json for version detection — a standard self-versioning pattern, not arbitrary module loading.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): Dependency change is @sentry/minimal -> @sentry/browser, a routine Sentry SDK consolidation. Both are official Sentry packages; no malicious signal.	ai	2026/04/24
dependencies	unvetted-dep:ts-node	AI (dependencies): ts-node is listed as a runtime dep but phantom-dep analysis confirms it is not directly imported — only referenced in config files. This is a stable quirk of this package across versions.	ai	2026/04/24
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): @babel/runtime is a standard Babel helper package loaded by convention; phantom-dep finding is expected for this type of framework-scoped package.	ai	2026/04/23
semgrep	semgrep:base64-decode	AI (semgrep): The base64 usage is a standard detection idiom (checking if a string is base64-encoded), not obfuscation or payload hiding. Stable false positive for this file upload SDK.	ai	2026/04/23
phantom-deps	phantom-dep:follow-redirects	AI (phantom-deps): follow-redirects is a well-known HTTP utility; phantom-dep status indicates it's used transitively, not a security concern.	ai	2026/04/23
phantom-deps	phantom-dep:ts-node	AI (phantom-deps): ts-node is a well-known TypeScript tool used in build/config context; its phantom-dep status is a packaging hygiene issue, not a security risk.	ai	2026/04/23
phantom-deps	phantom-dep:abab	AI (phantom-deps): abab is a well-known base64/atob polyfill; phantom-dep status is a packaging hygiene issue, not a security risk.	ai	2026/04/23

Versions (showing 51 of 204)

Show 2 prereleases View all versions

Version	Deps	Published
4.3.8	15 / 68	2026-05-11
4.3.7	15 / 68	2026-03-19
4.3.6	15 / 68	2026-02-24
4.3.5	15 / 68	2026-01-28
4.3.4	15 / 68	2025-10-29
4.2.4	15 / 68	2025-10-13
4.1.4	15 / 68	2025-09-08
4.0.4	15 / 68	2025-08-12
4.0.3	15 / 68	2025-06-26
4.0.2	15 / 68	2025-06-16
4.0.1	15 / 68	2025-06-16
4.0.0	15 / 68	2025-06-02
3.51.5	15 / 68	2026-05-20
3.51.4	15 / 68	2026-04-29
3.50.4	15 / 68	2026-04-21
3.49.4	15 / 68	2026-04-20
3.48.4	15 / 68	2026-04-14
3.47.4	15 / 68	2026-03-25
3.46.4	15 / 68	2026-02-23
3.46.3	15 / 68	2026-01-19
3.46.2	15 / 68	2025-12-22
3.45.2	15 / 68	2025-12-15
3.44.2	15 / 68	2025-10-22
3.44.1	15 / 68	2025-10-09
3.43.1	15 / 68	2025-10-06
3.42.1	15 / 68	2025-09-29
3.42.0	15 / 68	2025-09-11
3.41.12	15 / 68	2025-08-12
3.40.12	15 / 68	2025-08-05
3.40.11	15 / 68	2025-08-04
3.40.10	15 / 68	2025-07-23
3.40.9	15 / 68	2025-07-22
3.40.8	15 / 68	2025-06-16
3.40.7	15 / 68	2025-06-16
3.40.6	15 / 68	2025-05-27
3.40.5	15 / 65	2025-04-22
3.39.5	15 / 56	2025-03-31
3.38.5	15 / 56	2025-02-18
3.37.5	15 / 56	2025-01-23
3.37.4	15 / 56	2025-01-22
3.36.4	15 / 56	2024-12-11
3.35.4	15 / 56	2024-11-14
3.34.4	15 / 56	2024-10-18
3.34.3	15 / 56	2024-10-01
3.33.3	15 / 56	2024-09-30
3.32.3	15 / 56	2024-06-17
3.32.2	15 / 56	2024-06-14
3.32.1	15 / 56	2024-05-30
3.32.0	15 / 56	2024-04-02
3.31.0	15 / 56	2024-03-10
3.30.2	15 / 56	2024-03-04