@aguspe/tiler-viewer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/client/viewer-DqTY1Mf2.js | AI (source-diff): Standard Vite minified bundle with accompanying source map; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/client/viewer-DqTY1Mf2.js | AI (source-diff): Network call is a Google Fonts CSS import; dynamic execution is normal browser JS bundle behavior. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-CgOEJB-o.js | AI (source-diff): Vite-bundled React client output; minification is expected for this package's build process. | ai | |
| source-diff | net-exec-file:dist/client/viewer-CgOEJB-o.js | AI (source-diff): Network+exec pattern in a React browser bundle is standard (fetch + dynamic imports); not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/client/viewer-338qH44f.js | AI (source-diff): Bundled React viewer; network+exec pattern is normal for client-side SPA code. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-338qH44f.js | AI (source-diff): Vite-bundled client JS with source map; minification is expected for this package. | ai | |
| source-diff | net-exec-file:dist/client/viewer-CaS_s40N.js | AI (source-diff): Network call is a Google Fonts CSS import in a browser bundle; no dynamic code execution of remote content. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-CaS_s40N.js | AI (source-diff): Standard Vite-minified client bundle for a React app; source map is included and content is benign CSS/UI code. | ai | |
| source-diff | net-exec-file:dist/client/viewer-BolslLtr.js | AI (source-diff): Network call is a Google Fonts CSS import from the bundler; no dynamic code execution present. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-BolslLtr.js | AI (source-diff): Standard Vite-minified client bundle with source map; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-BlW8xPdj.js | AI (source-diff): Vite-minified client bundle; content is CSS/UI code, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/client/viewer-BlW8xPdj.js | AI (source-diff): Network reference is a Google Fonts stylesheet import in a browser bundle; no dynamic code execution pattern. | ai | |
| source-diff | net-exec-file:dist/client/viewer-CI7nZwbv.js | AI (source-diff): Network call is a Google Fonts CSS import; no dynamic code execution beyond normal React hydration. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-CI7nZwbv.js | AI (source-diff): Vite-minified client bundle for a React viewer; long lines are standard bundler output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/client/viewer-DXSIEC3U.js | AI (source-diff): Network call is Google Fonts CSS import; dynamic code is standard DOM/React hydration, not a dropper. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-DXSIEC3U.js | AI (source-diff): Vite-minified client bundle; long lines are CSS design tokens, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@aguspe/tiler-widgets | AI (phantom-deps): Same-org dependency used transitively via bundled output; stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/client/viewer-oA3ShJCD.js | AI (source-diff): Network+exec pattern in React client bundle is expected for a browser-side viewer app; no dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/client/viewer-oA3ShJCD.js | AI (source-diff): Minified Vite/React production bundle; standard build artifact for this SSR viewer package. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 1.1.13 | 2 / 14 | |
| 1.1.12 | 2 / 14 | |
| 1.1.11 | 2 / 14 | |
| 1.1.10 | 2 / 14 | |
| 1.1.9 | 2 / 14 | |
| 1.1.8 | 2 / 14 | |
| 1.1.7 | 2 / 14 | |
| 1.1.6 | 2 / 14 | |
| 1.1.5 | 2 / 14 | |
| 1.1.4 | 2 / 14 | |
| 1.1.3 | 2 / 14 | |
| 1.1.2 | 2 / 14 | |
| 1.1.1 | 2 / 14 | |
| 1.1.0 | 2 / 14 | |
| 1.0.3 | 2 / 14 | |
| 1.0.2 | 2 / 14 | |
| 1.0.1 | 2 / 14 | |
| 1.0.0 | 2 / 14 |
v1.1.13
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.11
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.