motion-utils
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): motion-utils is a legitimate internal utility sub-package of the Framer Motion ecosystem published by the trusted popmotion org. Metadata gaps (no description, repo, keywords) and version inflation are consistent with monorepo sub-package conventions, not spam/malware. | ai |
Versions (showing 28 of 28)
| Version | Deps | Published |
|---|---|---|
| 12.39.0 | 0 / 0 | |
| 12.36.0 | 0 / 0 | |
| 12.29.2 | 0 / 0 | |
| 12.27.2 | 0 / 0 | |
| 12.24.10 | 0 / 0 | |
| 12.23.28 | 0 / 0 | |
| 12.23.6 | 0 / 0 | |
| 12.23.2 | 0 / 0 | |
| 12.23.1 | 0 / 0 | |
| 12.19.0 | 0 / 0 | |
| 12.18.2 | 0 / 0 | |
| 12.18.1 | 0 / 0 | |
| 12.12.1 | 0 / 0 | |
| 12.9.4 | 0 / 0 | |
| 12.8.3 | 0 / 0 | |
| 12.7.5 | 0 / 0 | |
| 12.7.2 | 0 / 0 | |
| 12.6.5 | 0 / 0 | |
| 12.6.4 | 0 / 0 | |
| 12.6.3 | 0 / 0 | |
| 12.5.0 | 0 / 0 | |
| 12.4.10 | 0 / 0 | |
| 12.0.0 | 0 / 0 | |
| 11.18.1 | 0 / 0 | |
| 11.16.0 | 0 / 0 | |
| 11.14.3 | 0 / 0 | |
| 11.14.1 | 0 / 0 | |
| 11.13.0 | 0 / 0 |
v12.39.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.29.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.27.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.24.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.18.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.18.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.7.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.4.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.18.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.14.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.14.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.