xstate
Finite State Machines and Statecharts for the Modern Web.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition from xstate-release-bot to GitHub Actions is a routine CI bot account change; SLSA provenance confirms legitimate CI/CD publishing. | ai | |
| provenance | missing-githead | AI (provenance): xstate has SLSA provenance attestation; missing gitHead reflects CI pipeline changes, not a security concern for this established package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are build artifacts (source maps, chunks) from adding graph entrypoint; normal for xstate's multi-entrypoint build. | ai | |
| phantom-deps | phantom-dep:@vuepress/plugin-google-analytics | AI (phantom-deps): Confirmed not imported at runtime; only referenced in docs build config. Packaging error with no security impact. | ai | |
| dependencies | unvetted-dep:@vuepress/plugin-google-analytics | AI (dependencies): This is a docs tooling dependency accidentally placed in dependencies instead of devDependencies. It is never imported at runtime (confirmed by phantom-dep finding) and poses no security risk. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in xstate's JSON deserialization of machine configs with a $function marker — intentional design for serializing state machine functions, not a malicious pattern. | ai | |
| provenance | no-provenance | AI (provenance): xstate is a long-established package (3256 days) with 4.2M weekly downloads; lack of Sigstore provenance is common and not a risk signal for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Used in xstate's SCXML parser to evaluate SCXML expressions per the W3C SCXML spec — expected and documented behavior for a compliant SCXML implementation. | ai |
Versions (showing 51 of 188)
| Version | Deps | Published |
|---|---|---|
| 5.32.0 | 0 / 5 | |
| 5.31.1 | 0 / 5 | |
| 5.31.0 | 0 / 5 | |
| 5.30.0 | 0 / 5 | |
| 5.29.0 | 0 / 5 | |
| 5.28.0 | 0 / 5 | |
| 5.27.0 | 0 / 5 | |
| 5.26.0 | 0 / 5 | |
| 5.25.1 | 0 / 5 | |
| 5.25.0 | 0 / 5 | |
| 5.24.0 | 0 / 5 | |
| 5.23.0 | 0 / 5 | |
| 5.22.1 | 0 / 5 | |
| 5.22.0 | 0 / 5 | |
| 5.21.0 | 0 / 5 | |
| 5.20.2 | 0 / 5 | |
| 5.20.1 | 0 / 5 | |
| 5.20.0 | 0 / 5 | |
| 5.19.4 | 0 / 6 | |
| 5.19.3 | 0 / 6 | |
| 5.19.2 | 0 / 6 | |
| 5.19.1 | 0 / 6 | |
| 5.19.0 | 0 / 6 | |
| 5.18.2 | 0 / 6 | |
| 5.18.1 | 0 / 6 | |
| 5.18.0 | 0 / 6 | |
| 5.17.4 | 0 / 6 | |
| 5.17.3 | 0 / 6 | |
| 5.17.2 | 0 / 6 | |
| 5.17.1 | 0 / 6 | |
| 5.17.0 | 0 / 6 | |
| 5.16.0 | 0 / 8 | |
| 5.15.0 | 0 / 8 | |
| 5.14.0 | 0 / 8 | |
| 5.13.2 | 0 / 8 | |
| 5.13.1 | 0 / 8 | |
| 5.13.0 | 0 / 8 | |
| 5.12.0 | 0 / 8 | |
| 5.11.0 | 0 / 8 | |
| 5.10.0 | 0 / 8 | |
| 5.9.1 | 0 / 8 | |
| 5.9.0 | 0 / 8 | |
| 5.8.2 | 0 / 8 | |
| 5.8.1 | 0 / 8 | |
| 5.8.0 | 0 / 8 | |
| 5.7.1 | 0 / 8 | |
| 5.7.0 | 0 / 8 | |
| 5.6.2 | 0 / 8 | |
| 5.6.1 | 0 / 8 | |
| 5.6.0 | 0 / 8 | |
| 5.5.2 | 0 / 8 |
v5.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.25.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.25.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.22.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.20.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.20.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.20.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.19.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.19.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.19.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.18.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xstate-release-bot.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.