motion-dom
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): motion-dom is a legitimate high-traffic sub-package of the Motion library ecosystem published by the trusted popmotion account. Metadata gaps and inflated semver reflect monorepo extraction patterns, not spam/malware. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package with 34M+ weekly downloads; missing description is a metadata hygiene issue, not a security signal. | ai | |
| source-diff | obfuscated-file:dist/size-rollup-motion-value.js | AI (source-diff): Minified rollup bundle for size measurement, listed in bundlesize config. Standard animation library code, no suspicious patterns. | ai | |
| source-diff | obfuscated-file:dist/size-rollup-style-effect.js | AI (source-diff): Minified rollup bundle for size measurement, listed in bundlesize config. Standard animation library code, no suspicious patterns. | ai | |
| source-diff | obfuscated-file:dist/index.d.ts | AI (source-diff): TypeScript declaration file with long SVG attribute type definitions. Not obfuscated, just extensive type unions. | ai |
Versions (showing 51 of 131)
| Version | Deps | Published |
|---|---|---|
| 12.40.0 | 1 / 0 | |
| 12.39.0 | 1 / 0 | |
| 12.38.0 | 1 / 0 | |
| 12.37.0 | 1 / 0 | |
| 12.36.0 | 1 / 0 | |
| 12.35.2 | 1 / 0 | |
| 12.35.1 | 1 / 0 | |
| 12.35.0 | 1 / 0 | |
| 12.34.5 | 1 / 0 | |
| 12.34.3 | 1 / 0 | |
| 12.34.2 | 1 / 0 | |
| 12.34.1 | 1 / 0 | |
| 12.34.0 | 1 / 0 | |
| 12.33.2 | 1 / 0 | |
| 12.33.0 | 1 / 0 | |
| 12.32.0 | 1 / 0 | |
| 12.31.3 | 1 / 0 | |
| 12.31.2 | 1 / 0 | |
| 12.30.1 | 1 / 0 | |
| 12.30.0 | 1 / 0 | |
| 12.29.2 | 1 / 0 | |
| 12.29.0 | 1 / 0 | |
| 12.28.2 | 1 / 0 | |
| 12.28.1 | 1 / 0 | |
| 12.27.5 | 1 / 0 | |
| 12.27.4 | 1 / 0 | |
| 12.27.2 | 1 / 0 | |
| 12.27.1 | 1 / 0 | |
| 12.27.0 | 1 / 0 | |
| 12.26.2 | 1 / 0 | |
| 12.24.11 | 1 / 0 | |
| 12.24.10 | 1 / 0 | |
| 12.24.8 | 1 / 0 | |
| 12.24.3 | 1 / 0 | |
| 12.24.0 | 1 / 0 | |
| 12.23.28 | 1 / 0 | |
| 12.23.23 | 1 / 0 | |
| 12.23.21 | 1 / 0 | |
| 12.23.20 | 1 / 0 | |
| 12.23.19 | 1 / 0 | |
| 12.23.18 | 1 / 0 | |
| 12.23.12 | 1 / 0 | |
| 12.23.9 | 1 / 0 | |
| 12.23.7 | 1 / 0 | |
| 12.23.6 | 1 / 0 | |
| 12.23.5 | 1 / 0 | |
| 12.23.2 | 1 / 0 | |
| 12.23.1 | 1 / 0 | |
| 12.22.0 | 1 / 0 | |
| 12.20.5 | 1 / 0 | |
| 12.20.3 | 1 / 0 |
v12.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.39.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.37.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.35.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.35.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.34.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.34.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.34.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.34.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.33.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.29.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.28.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.28.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.27.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.27.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.27.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.27.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.26.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.24.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.24.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.24.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.24.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.24.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.20.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.20.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.