xstate
Finite State Machines and Statecharts for the Modern Web.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition from xstate-release-bot to GitHub Actions is a routine CI bot account change; SLSA provenance confirms legitimate CI/CD publishing. | ai | |
| provenance | missing-githead | AI (provenance): xstate has SLSA provenance attestation; missing gitHead reflects CI pipeline changes, not a security concern for this established package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are build artifacts (source maps, chunks) from adding graph entrypoint; normal for xstate's multi-entrypoint build. | ai | |
| phantom-deps | phantom-dep:@vuepress/plugin-google-analytics | AI (phantom-deps): Confirmed not imported at runtime; only referenced in docs build config. Packaging error with no security impact. | ai | |
| dependencies | unvetted-dep:@vuepress/plugin-google-analytics | AI (dependencies): This is a docs tooling dependency accidentally placed in dependencies instead of devDependencies. It is never imported at runtime (confirmed by phantom-dep finding) and poses no security risk. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in xstate's JSON deserialization of machine configs with a $function marker — intentional design for serializing state machine functions, not a malicious pattern. | ai | |
| provenance | no-provenance | AI (provenance): xstate is a long-established package (3256 days) with 4.2M weekly downloads; lack of Sigstore provenance is common and not a risk signal for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Used in xstate's SCXML parser to evaluate SCXML expressions per the W3C SCXML spec — expected and documented behavior for a compliant SCXML implementation. | ai |
Versions (showing 88 of 188)
| Version | Deps | Published |
|---|---|---|
| 4.25.0 | 0 / 21 | |
| 4.24.1 | 0 / 21 | |
| 4.24.0 | 0 / 21 | |
| 4.23.4 | 0 / 21 | |
| 4.23.3 | 0 / 21 | |
| 4.23.2 | 0 / 21 | |
| 4.23.1 | 0 / 21 | |
| 4.23.0 | 0 / 21 | |
| 4.22.0 | 0 / 20 | |
| 4.20.2 | 0 / 20 | |
| 4.20.1 | 0 / 20 | |
| 4.20.0 | 0 / 20 | |
| 4.19.2 | 0 / 20 | |
| 4.19.1 | 0 / 20 | |
| 4.19.0 | 0 / 20 | |
| 4.18.0 | 0 / 20 | |
| 4.17.1 | 0 / 20 | |
| 4.17.0 | 0 / 20 | |
| 4.16.2 | 0 / 20 | |
| 4.16.1 | 0 / 20 | |
| 4.16.0 | 0 / 20 | |
| 4.15.4 | 0 / 20 | |
| 4.15.3 | 0 / 20 | |
| 4.15.2 | 0 / 20 | |
| 4.15.1 | 0 / 20 | |
| 4.15.0 | 0 / 20 | |
| 4.14.1 | 0 / 20 | |
| 4.14.0 | 0 / 20 | |
| 4.13.0 | 0 / 20 | |
| 4.12.0 | 0 / 20 | |
| 4.11.0 | 0 / 20 | |
| 4.10.0 | 0 / 20 | |
| 4.9.1 | 0 / 20 | |
| 4.9.0 | 0 / 20 | |
| 4.8.0 | 0 / 20 | |
| 4.7.8 | 0 / 20 | |
| 4.7.7 | 0 / 20 | |
| 4.7.6 | 0 / 20 | |
| 4.7.5 | 0 / 20 | |
| 4.7.3 | 0 / 20 | |
| 4.7.2 | 0 / 20 | |
| 4.7.1 | 0 / 20 | |
| 4.7.0 | 0 / 20 | |
| 4.6.7 | 0 / 39 | |
| 4.6.6 | 0 / 39 | |
| 4.6.5 | 0 / 39 | |
| 4.6.4 | 0 / 37 | |
| 4.6.3 | 1 / 36 | |
| 4.6.2 | 0 / 34 | |
| 4.6.1 | 0 / 34 | |
| 4.6.0 | 0 / 33 | |
| 4.5.0 | 0 / 29 | |
| 4.4.0 | 0 / 28 | |
| 4.3.3 | 0 / 26 | |
| 4.3.2 | 0 / 25 | |
| 4.3.1 | 0 / 25 | |
| 4.3.0 | 0 / 25 | |
| 4.2.4 | 0 / 25 | |
| 4.2.3 | 0 / 25 | |
| 4.2.2 | 0 / 25 | |
| 4.2.1 | 0 / 24 | |
| 4.2.0 | 0 / 24 | |
| 4.1.2 | 0 / 25 | |
| 4.1.1 | 0 / 25 | |
| 4.0.1 | 0 / 25 | |
| 4.0.0 | 0 / 25 | |
| 3.3.3 | 0 / 12 | |
| 3.3.2 | 0 / 12 | |
| 3.3.1 | 0 / 12 | |
| 3.3.0 | 0 / 12 | |
| 3.2.1 | 0 / 12 | |
| 3.2.0 | 0 / 12 | |
| 3.1.1 | 0 / 10 | |
| 3.1.0 | 0 / 10 | |
| 3.0.4 | 0 / 10 | |
| 3.0.3 | 0 / 10 | |
| 3.0.2 | 0 / 10 | |
| 3.0.1 | 0 / 10 | |
| 3.0.0 | 0 / 10 | |
| 2.1.0 | 0 / 10 | |
| 2.0.2 | 0 / 10 | |
| 2.0.1 | 0 / 10 | |
| 2.0.0 | 0 / 10 | |
| 1.2.1 | 0 / 9 | |
| 1.1.0 | 0 / 15 | |
| 1.0.2 | 1 / 22 | |
| 1.0.0 | 1 / 22 | |
| 0.0.1 | 0 / 20 |
v4.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.23.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.23.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.23.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.20.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.19.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.