three
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in TSLGraphLoader to compile internally-generated TSL shader graph code — a documented, intentional feature of three.js's shader node system. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): In bundled ecsy.module.js (third-party ECS library in examples/jsm/libs). Eval is part of a devtools inspector connection for executing scripts — legitimate developer tooling pattern. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): Fetches a WASM binary from a data URI (not a remote URL) to initialize the MikkTSpace module — standard WASM initialization, no network exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Bundled emscripten-compiled Zstandard decompressor (zstddec.module.js). Minified/encoded content is the compiled WASM output — standard practice for bundled native modules. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() used in a Proxy handler for property delegation in WebGLNodesHandler — standard JavaScript metaprogramming, not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): three.js is a 13-year-old canonical library published by its original author; lack of Sigstore provenance is not a risk signal for this package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.184.0 | 0 / 17 | |
| 0.183.2 | 0 / 17 | |
| 0.183.1 | 0 / 17 | |
| 0.183.0 | 0 / 17 | |
| 0.182.0 | 0 / 20 | |
| 0.181.2 | 0 / 17 | |
| 0.181.1 | 0 / 17 | |
| 0.181.0 | 0 / 17 | |
| 0.180.0 | 0 / 21 | |
| 0.179.1 | 0 / 21 | |
| 0.179.0 | 0 / 21 | |
| 0.178.0 | 0 / 21 | |
| 0.177.0 | 0 / 21 |
v0.184.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.183.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.183.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.183.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.182.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.181.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.181.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.181.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.180.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.179.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.179.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.178.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.177.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.