webcrypto-core — Greenflagged

Common layer to be used by crypto libraries based on WebCrypto API for input validation.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

peculiarventuresmicroshine

Keywords

webcryptocryptopolyfillaesrsashaecshake

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): GitHub Actions publish with SLSA attestation explains missing gitHead; stable for this package.	ai	2026/05/15
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy consistent with mature low-churn crypto library; SLSA provenance confirms legitimate CI publish.	ai	2026/04/30
provenance	publisher-changed	AI (provenance): Migrated to GitHub Actions CI/CD publishing with SLSA provenance; same org (PeculiarVentures).	ai	2026/04/30
phantom-deps	phantom-dep:typescript	AI (phantom-deps): TypeScript is used during the install build step (tsc compilation); its presence as a dependency is intentional and legitimate for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type definitions package loaded by convention in TypeScript projects; not a security concern.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): PeculiarVentures package undergoing legitimate refactor from bundled to modular TypeScript structure; large file additions reflect architectural change, not injected code.	ai	2026/04/24
install-scripts	install-script:install	AI (install-scripts): Install script runs 'tsc --module commonjs --target es5' — a pure TypeScript compile step with no network access or arbitrary code execution. Stable pattern for this package.	ai	2026/04/24
source-diff	source-size-dropped	AI (source-diff): Build system was refactored (removed build:module, build:types scripts); size drop reflects build output restructuring, not code removal. Legitimate publisher with strong track record.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): @typescript/lib-dom is aliased to @types/web, a type-only package for WebCrypto API types. No runtime security risk; benign addition for TypeScript type support.	ai	2026/04/24
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a well-known TypeScript runtime helper; phantom detection is expected for bundled TypeScript libraries.	ai	2026/04/24
phantom-deps	phantom-dep:asn1js	AI (phantom-deps): asn1js is a legitimate ASN.1 parsing library used by this crypto package; referenced in config/rollup rather than direct imports is normal for bundled output.	ai	2026/04/24
phantom-deps	phantom-dep:pvtsutils	AI (phantom-deps): pvtsutils is a PeculiarVentures utility library; same publisher as webcrypto-core. Config-only reference is expected for bundled TypeScript output.	ai	2026/04/24
phantom-deps	phantom-dep:@peculiar/asn1-schema	AI (phantom-deps): @peculiar/asn1-schema is from the same publisher org; config-only reference is expected for bundled TypeScript output.	ai	2026/04/24
phantom-deps	phantom-dep:@peculiar/json-schema	AI (phantom-deps): @peculiar/json-schema is from the same publisher org; config-only reference is expected for bundled TypeScript output.	ai	2026/04/24
dependencies	unvetted-dep:@typescript/lib-dom	AI (dependencies): This is a standard TypeScript DOM type aliasing pattern (npm:@types/web) used for WebCrypto API type definitions. Type-only, no runtime security implications. Stable for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@typescript/lib-dom	AI (phantom-deps): Referenced in TypeScript config for type resolution only, not directly imported. Expected behavior for this TypeScript type aliasing pattern. Stable for this package.	ai	2026/04/24

Versions (showing 80 of 80)

Version	Deps	Published
1.9.2	5 / 9	2026-05-01
1.9.1	5 / 9	2026-05-01
1.9.0	5 / 10	2026-04-30
1.8.1	5 / 13	2024-10-08
1.8.0	5 / 14	2024-05-28
1.7.9	5 / 14	2024-03-28
1.7.8	5 / 14	2024-01-22
1.7.7	5 / 12	2023-03-21
1.7.6	5 / 12	2023-02-10
1.7.5	5 / 12	2022-05-12
1.7.4	5 / 12	2022-05-12
1.7.3	5 / 13	2022-03-31
1.7.2	5 / 13	2022-03-25
1.7.1	6 / 14	2022-03-07
1.7.0	6 / 14	2022-03-04
1.6.0	6 / 13	2022-03-02
1.5.1	6 / 13	2022-03-02
1.5.0	6 / 13	2022-03-02
1.4.0	5 / 12	2021-11-24
1.3.0	5 / 12	2021-10-26
1.2.1	5 / 13	2021-08-31
1.2.0	5 / 13	2021-02-03
1.1.10	5 / 13	2021-02-01
1.1.9	5 / 13	2021-01-26
1.1.8	5 / 13	2020-09-10
1.1.7	5 / 13	2020-09-10
1.1.6	5 / 13	2020-08-10
1.1.5	5 / 13	2020-08-10
1.1.4	5 / 13	2020-08-10
1.1.3	5 / 13	2020-08-10
1.1.2	5 / 13	2020-06-16
1.1.1	5 / 13	2020-05-11
1.1.0	5 / 13	2020-05-07
1.0.21	5 / 12	2020-04-20
1.0.20	5 / 12	2020-04-18
1.0.19	5 / 12	2020-04-06
1.0.18	2 / 12	2020-03-16
1.0.17	2 / 12	2019-12-16
1.0.16	2 / 12	2019-12-16
1.0.15	2 / 11	2019-12-05
1.0.14	2 / 10	2019-09-04
1.0.13	2 / 10	2019-09-04
1.0.12	2 / 10	2019-04-11
1.0.11	2 / 10	2019-03-22
1.0.10	2 / 10	2019-03-02
1.0.9	2 / 10	2019-03-02
1.0.8	2 / 10	2019-03-02
1.0.7	2 / 10	2019-02-25
1.0.6	2 / 9	2019-02-21
1.0.5	2 / 9	2019-02-19
1.0.4	2 / 9	2019-02-14
1.0.3	2 / 9	2019-02-14
1.0.2	2 / 9	2019-02-13
1.0.1	2 / 9	2019-01-25
0.1.27	1 / 7	2020-04-20
0.1.26	1 / 7	2018-12-14
0.1.25	1 / 7	2018-10-23
0.1.24	1 / 7	2018-10-17
0.1.22	1 / 7	2018-05-14
0.1.21	1 / 7	2018-03-27
0.1.20	1 / 7	2018-03-27
0.1.19	1 / 7	2018-02-06
0.1.18	1 / 7	2018-01-01
0.1.17	1 / 7	2017-09-01
0.1.16	2 / 9	2017-05-28
0.1.15	2 / 9	2017-04-27
0.1.14	2 / 9	2017-04-06
0.1.13	2 / 9	2017-02-25
0.1.12	2 / 9	2017-02-25
0.1.11	2 / 9	2017-02-14
0.1.10	3 / 6	2017-02-03
0.1.9	3 / 5	2017-02-02
0.1.8	3 / 5	2017-02-02
0.1.7	2 / 5	2017-01-04
0.1.6	2 / 5	2016-12-27
0.1.5	2 / 5	2016-12-25
0.1.4	2 / 5	2016-12-25
0.1.3	2 / 5	2016-11-23
0.1.2	0 / 8	2016-10-11
0.1.0	0 / 3	2016-09-25

v1.9.2

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.9.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.9.0

2 findings

HIGH Publisher changed: microshine → GitHub Actions (on 2026-04-30) provenance

This version was published by a different npm account than previous versions on 2026-04-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.