tscircuit
Make electronics using Typescript, React, and AI tools.
8
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
seveibar
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects bundling of many deps into browser/webworker minified artifacts; expected for this package's architecture. | ai | |
| source-diff | net-exec-file:dist/webworker.min.js | AI (source-diff): Legitimate webworker bundle for tscircuit eval; consistent with documented build scripts and package structure. | ai | |
| source-diff | net-exec-file:dist/browser.min.js | AI (source-diff): Legitimate browser bundle exported via package.json exports map; code samples show React/module boilerplate, not malware. | ai | |
| phantom-deps | phantom-dep:@tscircuit/krt-wasm | AI (phantom-deps): Platform-specific binary package; legitimate implicit dependency for this monorepo. | ai | |
| source-diff | encoded-string-file:dist/webworker.min.js | AI (source-diff): Long string is SVG/CSS chart rendering code in a minified webworker bundle, not an obfuscated payload. | ai | |
| dependencies | unvetted-dep:@tscircuit/solver-utils | AI (dependencies): tscircuit first-party package; stable pattern across versions. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-commonjs | AI (phantom-deps): Build tooling; framework-scoped, loaded by convention. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-node-resolve | AI (phantom-deps): Build tooling; framework-scoped, loaded by convention. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-typescript | AI (phantom-deps): Build tooling; framework-scoped, loaded by convention. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-json | AI (phantom-deps): Build tooling; framework-scoped, loaded by convention. | ai | |
| phantom-deps | phantom-dep:@tscircuit/alphabet | AI (phantom-deps): Newly added tscircuit ecosystem dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:format-si-unit | AI (phantom-deps): Utility dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): Stable false positive; debug is a transitive runtime dep in this large meta-package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): Known implicit TypeScript runtime dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:rollup | AI (phantom-deps): Build tool referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:comlink | AI (phantom-deps): Used in web worker build; stable false positive. | ai | |
| phantom-deps | phantom-dep:sucrase | AI (phantom-deps): Build-time dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:flatbush | AI (phantom-deps): Transitive spatial indexing dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer/bundled dep for browser build; stable false positive. | ai | |
| phantom-deps | phantom-dep:css-select | AI (phantom-deps): Transitive dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:performance-now | AI (phantom-deps): Polyfill dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:calculate-packing | AI (phantom-deps): Geometry dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-dts | AI (phantom-deps): Build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:svg-path-commander | AI (phantom-deps): SVG utility dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:transformation-matrix | AI (phantom-deps): Math utility dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tscircuit/runframe | AI (phantom-deps): tscircuit ecosystem dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tscircuit/soup-util | AI (phantom-deps): tscircuit ecosystem dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tscircuit/math-utils | AI (phantom-deps): tscircuit ecosystem dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tscircuit/checks | AI (phantom-deps): tscircuit ecosystem dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tscircuit/circuit-json-util | AI (phantom-deps): tscircuit ecosystem dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tscircuit/infgrid-ijump-astar | AI (phantom-deps): tscircuit ecosystem dep; stable false positive. | ai | |
| dependencies | unvetted-dep:minicssgrid | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:bpc-graph | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:poppygl | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:kicadts | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:s-expression | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:jscad-planner | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:circuit-to-svg | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:graphics-debug | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@resvg/resvg-js | AI (dependencies): Well-known SVG rendering library; stable for this package. | ai | |
| dependencies | unvetted-dep:calculate-elbow | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@tscircuit/alphabet | AI (dependencies): tscircuit first-party dep; stable. | ai | |
| dependencies | unvetted-dep:@tscircuit/miniflex | AI (dependencies): tscircuit first-party dep; stable. | ai | |
| dependencies | unvetted-dep:circuit-json-to-bpc | AI (dependencies): tscircuit ecosystem dep; stable. | ai | |
| dependencies | unvetted-dep:@tscircuit/matchpack | AI (dependencies): tscircuit first-party dep; stable. | ai | |
| dependencies | unvetted-dep:circuit-json-to-gltf | AI (dependencies): tscircuit ecosystem dep; stable. | ai | |
| dependencies | unvetted-dep:circuit-json-to-spice | AI (dependencies): tscircuit ecosystem dep; stable. | ai | |
| dependencies | unvetted-dep:kicad-to-circuit-json | AI (dependencies): tscircuit ecosystem dep; stable. | ai | |
| dependencies | unvetted-dep:spicey | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@tscircuit/footprinter | AI (dependencies): tscircuit first-party dep; stable. | ai | |
| dependencies | unvetted-dep:connectivity-map | AI (dependencies): tscircuit ecosystem dep; stable pattern across versions. | ai | |
| source-diff | encoded-string-file:dist/browser.min.js | AI (source-diff): tscircuit ships a minified browser bundle; long strings in dist/browser.min.js are CSS-in-JS and UI code, not malicious payloads. This is stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): svg-path-commander is a legitimate SVG utility; @tscircuit/alphabet is a first-party tscircuit package. Both additions are benign for this EDA library. | ai | |
| phantom-deps | phantom-dep:circuit-json | AI (phantom-deps): Bundled meta-package pattern; all @tscircuit ecosystem deps are expected to appear as phantom deps in this umbrella package. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled meta-package pattern; react is a legitimate peer/bundled dependency for this EDA toolkit. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): tscircuit is a bundled meta-package; phantom deps are expected false positives from the tsup build pattern where deps are bundled rather than directly imported. | ai | |
| phantom-deps | phantom-dep:@tscircuit/footprinter | AI (phantom-deps): Bundled meta-package pattern; legitimate tscircuit scoped dependency. | ai | |
| phantom-deps | phantom-dep:schematic-symbols | AI (phantom-deps): Bundled meta-package pattern; legitimate tscircuit ecosystem dependency. | ai | |
| phantom-deps | phantom-dep:@tscircuit/capacity-autorouter | AI (phantom-deps): Bundled meta-package pattern; legitimate tscircuit scoped dependency. | ai | |
| provenance | no-provenance | AI (provenance): tscircuit is a well-established package (1302 days, 2774 versions); lack of Sigstore provenance is not a security concern for this package. | ai |
Versions (showing 8 of 108)
| Version | Deps | Published |
|---|---|---|
| 0.0.454 | 4 / 5 | |
| 0.0.453 | 4 / 5 | |
| 0.0.452 | 4 / 5 | |
| 0.0.451 | 4 / 5 | |
| 0.0.450 | 4 / 5 | |
| 0.0.449 | 4 / 5 | |
| 0.0.448 | 4 / 5 | |
| 0.0.447 | 4 / 5 |
v0.0.454
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.453
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.452
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.451
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.450
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.449
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.448
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.447
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.