filestack-js
Official JavaScript library for Filestack
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used solely to read the package's own package.json for version detection — a standard self-versioning pattern, not arbitrary module loading. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Dependency change is @sentry/minimal -> @sentry/browser, a routine Sentry SDK consolidation. Both are official Sentry packages; no malicious signal. | ai | |
| dependencies | unvetted-dep:ts-node | AI (dependencies): ts-node is listed as a runtime dep but phantom-dep analysis confirms it is not directly imported — only referenced in config files. This is a stable quirk of this package across versions. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is a standard Babel helper package loaded by convention; phantom-dep finding is expected for this type of framework-scoped package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): The base64 usage is a standard detection idiom (checking if a string is base64-encoded), not obfuscation or payload hiding. Stable false positive for this file upload SDK. | ai | |
| phantom-deps | phantom-dep:follow-redirects | AI (phantom-deps): follow-redirects is a well-known HTTP utility; phantom-dep status indicates it's used transitively, not a security concern. | ai | |
| phantom-deps | phantom-dep:ts-node | AI (phantom-deps): ts-node is a well-known TypeScript tool used in build/config context; its phantom-dep status is a packaging hygiene issue, not a security risk. | ai | |
| phantom-deps | phantom-dep:abab | AI (phantom-deps): abab is a well-known base64/atob polyfill; phantom-dep status is a packaging hygiene issue, not a security risk. | ai |
Versions (showing 100 of 206)
| Version | Deps | Published |
|---|---|---|
| 3.3.0 | 12 / 48 | |
| 3.2.0 | 12 / 48 | |
| 3.1.1 | 12 / 48 | |
| 3.1.0 | 12 / 48 | |
| 3.0.0 | 13 / 48 | |
| 2.1.0 | 10 / 68 | |
| 2.0.7 | 10 / 68 | |
| 2.0.6 | 10 / 68 | |
| 2.0.5 | 10 / 68 | |
| 2.0.4 | 10 / 68 | |
| 2.0.3 | 10 / 68 | |
| 2.0.2 | 10 / 68 | |
| 2.0.1 | 10 / 68 | |
| 2.0.0 | 10 / 68 | |
| 1.14.6 | 10 / 66 | |
| 1.14.5 | 10 / 66 | |
| 1.14.4 | 10 / 66 | |
| 1.14.3 | 10 / 66 | |
| 1.14.2 | 10 / 66 | |
| 1.14.1 | 10 / 66 | |
| 1.14.0 | 10 / 66 | |
| 1.13.4 | 10 / 66 | |
| 1.13.3 | 10 / 66 | |
| 1.13.2 | 10 / 63 | |
| 1.13.1 | 10 / 63 | |
| 1.13.0 | 10 / 63 | |
| 1.12.1 | 10 / 63 | |
| 1.12.0 | 10 / 63 | |
| 1.11.0 | 10 / 63 | |
| 1.10.0 | 10 / 63 | |
| 1.9.0 | 10 / 63 | |
| 1.8.3 | 10 / 63 | |
| 1.8.2 | 10 / 63 | |
| 1.8.1 | 10 / 63 | |
| 1.8.0 | 9 / 64 | |
| 1.7.7 | 11 / 58 | |
| 1.7.6 | 11 / 58 | |
| 1.7.5 | 11 / 58 | |
| 1.7.4 | 11 / 58 | |
| 1.7.3 | 11 / 58 | |
| 1.7.2 | 11 / 58 | |
| 1.7.1 | 11 / 58 | |
| 1.7.0 | 11 / 58 | |
| 1.6.1 | 11 / 58 | |
| 1.6.0 | 11 / 58 | |
| 1.5.1 | 11 / 58 | |
| 1.5.0 | 11 / 58 | |
| 1.4.1 | 8 / 59 | |
| 1.4.0 | 8 / 59 | |
| 1.3.2 | 8 / 59 | |
| 1.3.1 | 8 / 59 | |
| 1.3.0 | 8 / 59 | |
| 1.2.1 | 8 / 59 | |
| 1.2.0 | 8 / 59 | |
| 1.0.2 | 8 / 59 | |
| 1.0.1 | 8 / 59 | |
| 1.0.0 | 8 / 59 | |
| 0.11.5 | 0 / 25 | |
| 0.11.4 | 0 / 25 | |
| 0.11.2 | 0 / 25 | |
| 0.11.1 | 0 / 25 | |
| 0.10.1 | 0 / 25 | |
| 0.10.0 | 0 / 25 | |
| 0.9.12 | 0 / 25 | |
| 0.9.11 | 0 / 25 | |
| 0.9.10 | 0 / 25 | |
| 0.9.9 | 0 / 25 | |
| 0.9.8 | 0 / 25 | |
| 0.9.7 | 0 / 25 | |
| 0.9.6 | 0 / 25 | |
| 0.9.5 | 0 / 24 | |
| 0.9.4 | 0 / 24 | |
| 0.9.3 | 0 / 24 | |
| 0.9.2 | 0 / 24 | |
| 0.9.1 | 0 / 24 | |
| 0.9.0 | 0 / 24 | |
| 0.8.5 | 0 / 24 | |
| 0.8.4 | 0 / 24 | |
| 0.8.3 | 0 / 24 | |
| 0.8.2 | 0 / 24 | |
| 0.8.1 | 0 / 24 | |
| 0.8.0 | 0 / 24 | |
| 0.7.1 | 0 / 24 | |
| 0.7.0 | 0 / 24 | |
| 0.6.3 | 0 / 28 | |
| 0.6.2 | 0 / 28 | |
| 0.6.1 | 0 / 28 | |
| 0.6.0 | 0 / 28 | |
| 0.5.2 | 4 / 23 | |
| 0.5.1 | 4 / 23 | |
| 0.5.0 | 4 / 23 | |
| 0.4.2 | 3 / 23 | |
| 0.4.1 | 3 / 23 | |
| 0.3.2 | 3 / 23 | |
| 0.3.1 | 3 / 23 | |
| 0.3.0 | 3 / 23 | |
| 0.2.1 | 3 / 23 | |
| 0.2.0 | 3 / 23 | |
| 0.1.12 | 3 / 23 | |
| 0.1.11 | 3 / 23 |
v3.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.