filestack-js
Official JavaScript library for Filestack
4
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
filestack-dev
Keywords
filestackfilepickeruploadfilesmultipartS3transformcropperdocument viewerimagesimage processingfile managementuniversalisomorphic
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used solely to read the package's own package.json for version detection — a standard self-versioning pattern, not arbitrary module loading. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Dependency change is @sentry/minimal -> @sentry/browser, a routine Sentry SDK consolidation. Both are official Sentry packages; no malicious signal. | ai | |
| dependencies | unvetted-dep:ts-node | AI (dependencies): ts-node is listed as a runtime dep but phantom-dep analysis confirms it is not directly imported — only referenced in config files. This is a stable quirk of this package across versions. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is a standard Babel helper package loaded by convention; phantom-dep finding is expected for this type of framework-scoped package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): The base64 usage is a standard detection idiom (checking if a string is base64-encoded), not obfuscation or payload hiding. Stable false positive for this file upload SDK. | ai | |
| phantom-deps | phantom-dep:follow-redirects | AI (phantom-deps): follow-redirects is a well-known HTTP utility; phantom-dep status indicates it's used transitively, not a security concern. | ai | |
| phantom-deps | phantom-dep:ts-node | AI (phantom-deps): ts-node is a well-known TypeScript tool used in build/config context; its phantom-dep status is a packaging hygiene issue, not a security risk. | ai | |
| phantom-deps | phantom-dep:abab | AI (phantom-deps): abab is a well-known base64/atob polyfill; phantom-dep status is a packaging hygiene issue, not a security risk. | ai |