webcrypto-core
Common layer to be used by crypto libraries based on WebCrypto API for input validation.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): GitHub Actions publish with SLSA attestation explains missing gitHead; stable for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy consistent with mature low-churn crypto library; SLSA provenance confirms legitimate CI publish. | ai | |
| provenance | publisher-changed | AI (provenance): Migrated to GitHub Actions CI/CD publishing with SLSA provenance; same org (PeculiarVentures). | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript is used during the install build step (tsc compilation); its presence as a dependency is intentional and legitimate for this package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type definitions package loaded by convention in TypeScript projects; not a security concern. | ai | |
| source-diff | large-new-source-files | AI (source-diff): PeculiarVentures package undergoing legitimate refactor from bundled to modular TypeScript structure; large file additions reflect architectural change, not injected code. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Install script runs 'tsc --module commonjs --target es5' — a pure TypeScript compile step with no network access or arbitrary code execution. Stable pattern for this package. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Build system was refactored (removed build:module, build:types scripts); size drop reflects build output restructuring, not code removal. Legitimate publisher with strong track record. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @typescript/lib-dom is aliased to @types/web, a type-only package for WebCrypto API types. No runtime security risk; benign addition for TypeScript type support. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a well-known TypeScript runtime helper; phantom detection is expected for bundled TypeScript libraries. | ai | |
| phantom-deps | phantom-dep:asn1js | AI (phantom-deps): asn1js is a legitimate ASN.1 parsing library used by this crypto package; referenced in config/rollup rather than direct imports is normal for bundled output. | ai | |
| phantom-deps | phantom-dep:pvtsutils | AI (phantom-deps): pvtsutils is a PeculiarVentures utility library; same publisher as webcrypto-core. Config-only reference is expected for bundled TypeScript output. | ai | |
| phantom-deps | phantom-dep:@peculiar/asn1-schema | AI (phantom-deps): @peculiar/asn1-schema is from the same publisher org; config-only reference is expected for bundled TypeScript output. | ai | |
| phantom-deps | phantom-dep:@peculiar/json-schema | AI (phantom-deps): @peculiar/json-schema is from the same publisher org; config-only reference is expected for bundled TypeScript output. | ai | |
| dependencies | unvetted-dep:@typescript/lib-dom | AI (dependencies): This is a standard TypeScript DOM type aliasing pattern (npm:@types/web) used for WebCrypto API type definitions. Type-only, no runtime security implications. Stable for this package. | ai | |
| phantom-deps | phantom-dep:@typescript/lib-dom | AI (phantom-deps): Referenced in TypeScript config for type resolution only, not directly imported. Expected behavior for this TypeScript type aliasing pattern. Stable for this package. | ai |
Versions (showing 51 of 80)
| Version | Deps | Published |
|---|---|---|
| 1.9.2 | 5 / 9 | |
| 1.9.1 | 5 / 9 | |
| 1.9.0 | 5 / 10 | |
| 1.8.1 | 5 / 13 | |
| 1.8.0 | 5 / 14 | |
| 1.7.9 | 5 / 14 | |
| 1.7.8 | 5 / 14 | |
| 1.7.7 | 5 / 12 | |
| 1.7.6 | 5 / 12 | |
| 1.7.5 | 5 / 12 | |
| 1.7.4 | 5 / 12 | |
| 1.7.3 | 5 / 13 | |
| 1.7.2 | 5 / 13 | |
| 1.7.1 | 6 / 14 | |
| 1.7.0 | 6 / 14 | |
| 1.6.0 | 6 / 13 | |
| 1.5.1 | 6 / 13 | |
| 1.5.0 | 6 / 13 | |
| 1.4.0 | 5 / 12 | |
| 1.3.0 | 5 / 12 | |
| 1.2.1 | 5 / 13 | |
| 1.2.0 | 5 / 13 | |
| 1.1.10 | 5 / 13 | |
| 1.1.9 | 5 / 13 | |
| 1.1.8 | 5 / 13 | |
| 1.1.7 | 5 / 13 | |
| 1.1.6 | 5 / 13 | |
| 1.1.5 | 5 / 13 | |
| 1.1.4 | 5 / 13 | |
| 1.1.3 | 5 / 13 | |
| 1.1.2 | 5 / 13 | |
| 1.1.1 | 5 / 13 | |
| 1.1.0 | 5 / 13 | |
| 1.0.21 | 5 / 12 | |
| 1.0.20 | 5 / 12 | |
| 1.0.19 | 5 / 12 | |
| 1.0.18 | 2 / 12 | |
| 1.0.17 | 2 / 12 | |
| 1.0.16 | 2 / 12 | |
| 1.0.15 | 2 / 11 | |
| 1.0.14 | 2 / 10 | |
| 1.0.13 | 2 / 10 | |
| 1.0.12 | 2 / 10 | |
| 1.0.11 | 2 / 10 | |
| 1.0.10 | 2 / 10 | |
| 1.0.9 | 2 / 10 | |
| 1.0.8 | 2 / 10 | |
| 1.0.7 | 2 / 10 | |
| 1.0.6 | 2 / 9 | |
| 1.0.5 | 2 / 9 | |
| 1.0.4 | 2 / 9 |
v1.9.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-30. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.