@actual-app/web
Actual on the web
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/static/js/ReportRouter.DZ2C94Cy.chunk.js | AI (source-diff): Standard Vite minified chunk; imports are clearly named React/app modules. | ai | |
| source-diff | obfuscated-file:build/static/js/Value.BytJXiib.chunk.js | AI (source-diff): Standard Vite minified chunk; imports are clearly named React/app modules. | ai | |
| source-diff | net-exec-file:build/static/js/Value.BytJXiib.chunk.js | AI (source-diff): Vite build artifact; network calls are app-level fetch, not dropper behavior. | ai | |
| source-diff | net-exec-file:build/kcab/kcab.worker.BxG26swk.js | AI (source-diff): Rolldown worker bundle for absurd-sql/KCAB; standard build output for this package. | ai | |
| source-diff | obfuscated-file:build/static/js/chart-theme.DIYMvoov.chunk.js | AI (source-diff): Standard Vite minified chunk for chart theme component. | ai | |
| source-diff | net-exec-file:build/static/js/chart-theme.DIYMvoov.chunk.js | AI (source-diff): Vite build artifact; not dropper behavior. | ai | |
| source-diff | obfuscated-file:build/static/js/extends.B4LxODoX.chunk.js | AI (source-diff): Standard Vite minified chunk. | ai | |
| source-diff | obfuscated-file:build/static/js/index.CIcGifLe.js | AI (source-diff): Standard Vite minified entry bundle. | ai | |
| source-diff | obfuscated-file:build/static/js/narrow.D2jKRljJ.chunk.js | AI (source-diff): Standard Vite minified chunk. | ai | |
| source-diff | obfuscated-file:build/static/js/ScheduleEditForm.BXXG23Sk.chunk.js | AI (source-diff): Standard Vite minified chunk. | ai | |
| source-diff | obfuscated-file:build/static/js/TransactionEdit.D_A_Dmhn.chunk.js | AI (source-diff): Standard Vite minified chunk. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established open-source project; README and metadata signals are false positives. | ai | |
| source-diff | obfuscated-file:build/static/js/ReportRouter.CSslilBc.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher is GitHub Actions CI with SLSA provenance attestation; automated publishing is expected for this project. | ai | |
| source-diff | obfuscated-file:build/static/js/ScheduleEditForm.CCO05hlt.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | obfuscated-file:build/static/js/TransactionEdit.CfIQzCoh.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | obfuscated-file:build/static/js/Value.CF-3_RXM.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | obfuscated-file:build/static/js/chart-theme.2NQOy8Lq.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | obfuscated-file:build/static/js/extends.RRv7gyle.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | obfuscated-file:build/static/js/index.BFVNfkrn.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | obfuscated-file:build/static/js/indexeddb-main-thread-worker-e59fee74.xguYkce3.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | obfuscated-file:build/static/js/narrow.ChOmIrMx.chunk.js | AI (source-diff): Standard Vite build output; minified ES module chunks are expected for this web app package. | ai | |
| source-diff | net-exec-file:build/kcab/kcab.worker.tCyo0gRC.js | AI (source-diff): Rolldown/Vite worker bundle for the budget backend; network calls are IndexedDB/fetch for local budget data, not exfiltration. | ai | |
| source-diff | net-exec-file:build/static/js/Value.CF-3_RXM.chunk.js | AI (source-diff): Standard Vite chunk with vitePreload (lazy loading); not a dropper. | ai | |
| source-diff | net-exec-file:build/static/js/chart-theme.2NQOy8Lq.chunk.js | AI (source-diff): Standard Vite chunk with vitePreload (lazy loading); not a dropper. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 26.5.2 | 0 / 81 | |
| 26.5.0 | 0 / 80 | |
| 26.4.0 | 0 / 82 | |
| 26.3.0 | 0 / 81 | |
| 26.2.1 | 0 / 77 | |
| 26.2.0 | 0 / 77 | |
| 26.1.0 | 0 / 78 | |
| 25.12.0 | 0 / 78 | |
| 25.11.0 | 0 / 78 |
v26.5.2
12 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.5.0
14 findingsThis version was published by a different npm account than previous versions on 2026-05-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v25.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v25.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.