vega-lite — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jheerdomoritzkanitwarvindsatya1lhermann

Keywords

vegachartvisualization

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:vega-util	AI (dependencies): vega-util is a first-party Vega ecosystem package; a stable, expected dependency of vega-lite across all versions.	ai	2026/04/25
dependencies	unvetted-dep:vega-expression	AI (dependencies): vega-expression is a first-party Vega ecosystem package; a stable, expected dependency of vega-lite across all versions.	ai	2026/04/25
dependencies	unvetted-dep:vega-event-selector	AI (dependencies): vega-event-selector is a first-party Vega ecosystem package; a stable, expected dependency of vega-lite across all versions.	ai	2026/04/25
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper; its implicit use pattern is well-known and benign for TypeScript-compiled packages.	ai	2026/04/25
phantom-deps	phantom-dep:json-stringify-pretty-compact	AI (phantom-deps): Declared in dependencies and referenced in config files; benign for this package's use case.	ai	2026/04/25

Versions (showing 7 of 7)

Version	Deps	Published
6.4.3	6 / 45	2026-04-24
6.4.2	6 / 43	2026-01-14
6.4.1	6 / 42	2025-09-23
6.4.0	6 / 42	2025-09-17
6.3.1	6 / 42	2025-09-10
6.3.0	6 / 42	2025-09-04
6.2.0	6 / 42	2025-06-27