← Home

mapbox-gl

npm Repository Homepage
5
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mapbox-npm-01mapbox-npm-02mapbox-npm-07mapbox-npm-03mapbox-npm-04mapbox-npm-09mapbox-npm-05mapbox-npm-06mapbox-npm-08mapbox-npm-advanced-actionsmapbox-npm-cimapbox-npmmapbox-adminmapbox-machine-usermbx-npm-ci-stagingmbx-npm-ci-productionmbx-npm-01-productionmbx-npm-02-productionmbx-npm-03-productionmbx-npm-04-productionmbx-npm-05-productionmbx-npm-06-productionmbx-npm-07-productionmbx-npm-08-productionmbx-npm-09-productionmbx-npm-02-stagingmbx-npm-advanced-actions-stagingmbx-npm-advanced-actions-production

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Both publishers are Mapbox org production accounts (mbx-npm-01/05-production). ai
source-diff obfuscated-file:dist/esm/shared.js AI (source-diff): Bundled gl-matrix and rendering code; expected for this package. ai
source-diff obfuscated-file:dist/esm/worker.js AI (source-diff): Bundled worker module; standard build output. ai
source-diff obfuscated-file:dist/esm/core.js AI (source-diff): Standard Rollup-bundled ESM output for mapbox-gl; stable pattern across versions. ai
source-diff obfuscated-file:dist/esm/hd.worker.js AI (source-diff): Bundled HD worker module; standard build output. ai
publish-pattern dormant-publish AI (publish-pattern): Actively maintained package with 279 versions; dormancy heuristic is a false positive. ai
source-diff obfuscated-file:dist/esm/hd.shared.js AI (source-diff): Bundled HD rendering module; standard build output. ai
phantom-deps phantom-dep:murmurhash-js AI (phantom-deps): murmurhash-js is a canonical mapbox-gl dependency bundled into dist. ai
phantom-deps phantom-dep:csscolorparser AI (phantom-deps): csscolorparser is a canonical mapbox-gl dependency bundled into dist. ai
phantom-deps phantom-dep:@mapbox/unitbezier AI (phantom-deps): unitbezier is a canonical mapbox dependency bundled into dist. ai
phantom-deps phantom-dep:@types/pbf AI (phantom-deps): Type-only package; phantom detection is expected for @types/* packages. ai
phantom-deps phantom-dep:earcut AI (phantom-deps): earcut is a well-known triangulation lib bundled into mapbox-gl dist; phantom detection is a false positive here. ai
phantom-deps phantom-dep:@types/geojson-vt AI (phantom-deps): Type-only package; phantom detection is expected for @types/* packages. ai
phantom-deps phantom-dep:@types/supercluster AI (phantom-deps): Type-only package; phantom detection is expected for @types/* packages. ai
phantom-deps phantom-dep:martinez-polygon-clipping AI (phantom-deps): martinez-polygon-clipping is a canonical mapbox-gl dependency bundled into dist. ai
phantom-deps phantom-dep:@types/geojson AI (phantom-deps): Type-only package; phantom detection is expected for @types/* packages. ai
phantom-deps phantom-dep:tinyqueue AI (phantom-deps): tinyqueue is a standard priority queue used internally; bundled into dist, not directly imported. ai
phantom-deps phantom-dep:geojson-vt AI (phantom-deps): geojson-vt is a canonical mapbox-gl dependency bundled into dist. ai
phantom-deps phantom-dep:grid-index AI (phantom-deps): grid-index is a canonical mapbox-gl dependency bundled into dist. ai
phantom-deps phantom-dep:cheap-ruler AI (phantom-deps): cheap-ruler is a canonical mapbox-gl dependency bundled into dist. ai
phantom-deps phantom-dep:quickselect AI (phantom-deps): quickselect is a canonical mapbox-gl dependency bundled into dist. ai
phantom-deps phantom-dep:supercluster AI (phantom-deps): supercluster is a canonical mapbox-gl dependency bundled into dist. ai

Versions (showing 5 of 5)

Version Deps Published
3.24.0 22 / 69
3.23.1 23 / 66
3.23.0 23 / 66
3.22.0 23 / 66
1.13.1 23 / 75

v3.24.0

7 findings
HIGH Publisher changed: mbx-npm-05-production → mbx-npm-01-production (on 2026-05-18) provenance

This version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/esm/core.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/hd.shared.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/hd.worker.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/shared.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/worker.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.23.1

7 findings
HIGH Publisher changed: mbx-npm-05-production → mbx-npm-07-production (on 2026-05-04) provenance

This version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/esm/core.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/hd.shared.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/hd.worker.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/shared.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/worker.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.23.0

7 findings
HIGH Publisher changed: mbx-npm-05-production → mbx-npm-04-production (on 2026-04-29) provenance

This version was published by a different npm account than previous versions on 2026-04-29. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/esm/core.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/hd.shared.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/hd.worker.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/shared.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/worker.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.22.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.13.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.