hammerjs
A javascript library for multi-touch gestures
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:tests/unit/assets/blanket.js | AI (source-diff): blanket.js v1.1.5, a well-known JS code coverage library. Minified as expected. Test asset only, not a runtime dependency. | ai | |
| source-diff | obfuscated-file:tests/unit/assets/underscore.js | AI (source-diff): underscore.js v1.4.4, a well-known utility library. Minified as expected. Test asset only, not a runtime dependency. | ai | |
| source-diff | net-exec-file:tests/unit/assets/jquery.js | AI (source-diff): jQuery's AJAX and dynamic patterns trigger this rule but are standard jQuery behavior. Test asset only, not a runtime dependency. | ai | |
| source-diff | obfuscated-file:tests/unit/assets/jquery.js | AI (source-diff): jQuery v1.9.1 with standard license header. Minified as expected. Test asset only, not a runtime dependency. | ai | |
| source-diff | obfuscated-file:docs/assets/vendor/prettify/prettify-min.js | AI (source-diff): Google Prettify syntax highlighter, minified as expected for a documentation vendor asset. Not a runtime dependency. | ai | |
| source-diff | obfuscated-file:misc/docstheme/assets/vendor/prettify/prettify-min.js | AI (source-diff): Google Prettify syntax highlighter, minified as expected for a documentation vendor asset. Not a runtime dependency. | ai | |
| source-diff | obfuscated-file:tests/manual/assets/js/modernizr.js | AI (source-diff): Canonical Modernizr 2.6.2 build with MIT/BSD license header. Standard browser feature detection library used in test assets. | ai | |
| source-diff | net-exec-file:tests/manual/assets/js/modernizr.js | AI (source-diff): Modernizr uses createElement and browser API checks for feature detection — not network+exec malware. Test asset only. | ai | |
| provenance | no-provenance | AI (provenance): Package is 4803 days old, predates Sigstore provenance; no provenance is expected for this era of publishing. | ai | |
| source-diff | obfuscated-file:examples/assets/js/modernizr.js | AI (source-diff): Modernizr 2.6.2 canonical minified build bundled as an example asset; not runtime code, not malware. | ai | |
| source-diff | net-exec-file:examples/assets/js/modernizr.js | AI (source-diff): Modernizr 2.6.2 canonical build; network/exec pattern is a false positive from the feature-detection library's standard structure. | ai | |
| source-diff | obfuscated-file:tests/libs/jquery.js | AI (source-diff): jQuery v1.9.1 canonical minified build bundled as a test dependency; well-known library, not malware. | ai | |
| source-diff | net-exec-file:tests/libs/jquery.js | AI (source-diff): jQuery v1.9.1 canonical build; network/exec pattern is a false positive from jQuery's standard AJAX and eval-based JSON parsing. | ai | |
| source-diff | obfuscated-file:tests/libs/underscore.js | AI (source-diff): Underscore.js 1.4.4 canonical minified build bundled as a test dependency; well-known library, not malware. | ai | |
| source-diff | net-exec-file:plugins/jquery.hammer.js/tests/jquery.js | AI (source-diff): Flagged file is the standard jQuery 1.10.2 library bundled as a test fixture. Network/eval patterns are intrinsic to jQuery and not malicious; stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from jtangelder to arschmitz occurred in April 2016; arschmitz is explicitly listed as a contributor in package.json, confirming a legitimate maintainer transition. Stable for this package. | ai | |
| source-diff | net-exec-file:tests/unit/assets/lodash.compat.js | AI (source-diff): File is the canonical Lo-Dash 2.4.1 utility library bundled as a test asset. Dynamic execution patterns are intrinsic to Lo-Dash, not malicious. Stable false positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump (v1.x to v2.0) for a well-established library; large number of new files is expected and consistent with a full rewrite/restructure. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 2.0.8 | 0 / 14 | |
| 2.0.7 | 0 / 14 | |
| 2.0.6 | 0 / 14 | |
| 2.0.5 | 0 / 12 | |
| 2.0.4 | 0 / 12 | |
| 2.0.3 | 0 / 11 | |
| 2.0.2 | 0 / 11 | |
| 2.0.1 | 0 / 9 | |
| 2.0.0 | 0 / 9 | |
| 1.1.3 | 0 / 12 | |
| 1.1.2 | 0 / 12 | |
| 1.1.1 | 0 / 12 | |
| 1.1.0 | 0 / 11 | |
| 1.0.11 | 0 / 10 | |
| 1.0.10 | 0 / 10 | |
| 1.0.9 | 0 / 9 | |
| 1.0.8 | 0 / 9 | |
| 1.0.6 | 0 / 10 | |
| 1.0.5 | 0 / 9 | |
| 1.0.4 | 0 / 9 | |
| 1.0.3 | 0 / 9 | |
| 1.0.2 | 0 / 8 |
v2.0.7
2 findingsThis version was published by a different npm account than previous versions on 2016-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.11
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.