sorcery
Resolve a chain of sourcemaps back to the original source
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:base64-decode | AI (semgrep): The base64 decode is a standard Node.js atob polyfill used to decode inline base64-encoded sourcemaps — core functionality for a sourcemap resolution library. | ai | |
| phantom-deps | phantom-dep:minimist | AI (phantom-deps): minimist is used by the CLI binary (bin/sorcery) for argument parsing; legitimate runtime dep not imported in main source files. | ai | |
| phantom-deps | phantom-dep:tiny-glob | AI (phantom-deps): tiny-glob is a legitimate file-globbing utility consistent with sorcery's file-resolution use case; phantom detection is a false positive here. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 1.0.0 | 3 / 8 | |
| 0.11.1 | 4 / 17 | |
| 0.11.0 | 4 / 17 | |
| 0.10.0 | 4 / 16 | |
| 0.9.4 | 4 / 15 | |
| 0.9.3 | 4 / 15 | |
| 0.9.2 | 4 / 16 | |
| 0.9.1 | 3 / 17 | |
| 0.9.0 | 3 / 17 | |
| 0.8.0 | 4 / 17 | |
| 0.7.0 | 4 / 17 | |
| 0.6.5 | 4 / 17 | |
| 0.6.4 | 4 / 18 | |
| 0.6.3 | 4 / 14 | |
| 0.6.2 | 4 / 14 | |
| 0.6.1 | 4 / 14 | |
| 0.6.0 | 4 / 14 | |
| 0.5.5 | 4 / 14 | |
| 0.5.4 | 4 / 12 | |
| 0.5.3 | 4 / 12 | |
| 0.5.2 | 4 / 12 | |
| 0.5.1 | 4 / 11 | |
| 0.5.0 | 4 / 12 | |
| 0.4.0 | 4 / 12 | |
| 0.3.5 | 4 / 12 | |
| 0.3.4 | 4 / 11 | |
| 0.3.2 | 3 / 11 | |
| 0.3.0 | 3 / 6 | |
| 0.2.5 | 3 / 6 | |
| 0.2.4 | 3 / 3 | |
| 0.2.3 | 3 / 3 | |
| 0.2.2 | 3 / 3 | |
| 0.2.1 | 3 / 3 | |
| 0.2.0 | 3 / 3 | |
| 0.1.1 | 2 / 2 | |
| 0.1.0 | 2 / 2 |
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.