All @antv/g-device-api versions
@antv/g-device-api @1.8.13
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
100
Risk Score
MIT
License
Yes
Install Scripts
6
Dependencies
50
Dev Dependencies
2702.9 KB
Package Size
Published
A Device API references WebGPU implementations
Maintainers
lviseifreestyle21soundquietelaine.q.10sturubysakuya223serializedowenxdzhaoyangzhanmeiwjgogogoleungwensendoriiaaronyardsimaqdxq613intchoussusan_annjinke.lilzxuearmy8735atoolbaizndengfupingneoddishjeffy2012zqluafc163pomelo-nwukopiluwakyccnuzindexpanyuqibubkoozengyuekasmineboyu.zljl1ud0ngq1newbyvectorwinniexingchenlulikn9117xdddstsemious2020esoranadia_liubbsqqmxz96102openwaynepearminipddpdyiqianyaozhanbacxxxxxnlaixingui.lxgsusiwen8yanxiongzeyuwangrainy25ghzzhangjunjie-lokiflash1yisi.wangdreammy23biupiubiupiubasketduckxuying1027banxuanpearl_wangbqxbqxbqxalex_zjtduxinyue023wang1212leondt1gaofuhong
Keywords
antvg
Dependencies (6)
| Package | Constraint | Registry Status |
|---|---|---|
| bun | ^1.3.13 | auto_approved |
| tslib | ^2.5.3 | auto_approved |
| gl-matrix | ^3.4.3 | auto_approved |
| @antv/util | ^3.3.4 | auto_approved |
| @webgpu/types | ^0.1.34 | auto_approved |
| eventemitter3 | ^5.0.1 | auto_approved |
Dev Dependencies (50)
| Package | Constraint | Registry Status |
|---|---|---|
| gl | ^6.0.2 | No greenflagged match |
| jest | ^29.0.0 | auto_approved |
| vite | ^4.4.9 | No greenflagged match |
| husky | ^7.0.4 | auto_approved |
| pngjs | ^6.0.0 | auto_approved |
| three | ^0.156.0 | No greenflagged match |
| eslint | ^7.32.0 | auto_approved |
| rimraf | ^4.4.1 | auto_approved |
| rollup | ^3.25.1 | No greenflagged match |
| lil-gui | ^0.16.0 | No greenflagged match |
| ndarray | ^1.0.19 | auto_approved |
| ts-jest | ^29.1.0 | auto_approved |
| colormap | latest | auto_approved |
| prettier | ^2.8.8 | auto_approved |
| @types/gl | ^6.0.2 | Not imported |
| dirichlet | latest | Not imported |
| get-pixels | 3.3.3 | auto_approved |
| pixelmatch | 5.3.0 | auto_approved |
| typescript | ^5.2.2 | auto_approved |
| @types/jest | ^26.0.24 | No greenflagged match |
| bit-twiddle | latest | auto_approved |
| case-police | ^0.5.10 | No greenflagged match |
| lint-staged | ^10.5.4 | auto_approved |
| ndarray-ops | latest | auto_approved |
| @types/pngjs | ^6.0.1 | auto_approved |
| @types/three | ^0.156.0 | No greenflagged match |
| @types/webxr | 0.5.5 | No greenflagged match |
| ndarray-fill | latest | Not imported |
| ndarray-pack | latest | auto_approved |
| orbit-camera | latest | Not imported |
| @antv/graphlib | latest | auto_approved |
| @changesets/cli | ^2.26.2 | auto_approved |
| @commitlint/cli | ^8.3.6 | No greenflagged match |
| typedarray-pool | latest | auto_approved |
| @playwright/test | ^1.39.0 | auto_approved |
| markdownlint-cli | ^0.32.2 | No greenflagged match |
| ndarray-gradient | latest | Not imported |
| @types/pixelmatch | ^5.2.4 | No greenflagged match |
| eslint-plugin-jest | 24.3.6 | No greenflagged match |
| @rollup/plugin-babel | ^6.0.3 | auto_approved |
| @rollup/plugin-terser | ^0.4.3 | auto_approved |
| @types/offscreencanvas | ^2019.6.4 | auto_approved |
| @rollup/plugin-commonjs | ^25.0.7 | auto_approved |
| rollup-plugin-visualizer | ^5.9.2 | auto_approved |
| @rollup/plugin-typescript | ^11.1.1 | No greenflagged match |
| @typescript-eslint/parser | ^6.0.0 | auto_approved |
| @commitlint/config-angular | ^9.1.2 | No greenflagged match |
| @rollup/plugin-node-resolve | ^15.1.0 | auto_approved |
| rollup-plugin-polyfill-node | ^0.12.0 | No greenflagged match |
| @typescript-eslint/eslint-plugin | ^6.0.0 | auto_approved |
Transitive Dependency Tree
7 transitive deps
max depth 2
├─
@antv/util
^3.3.4
→ 3.3.11
├─
@webgpu/types
^0.1.34
→ 0.1.71
├─
bun
^1.3.13
→ 1.3.14
├─
eventemitter3
^5.0.1
→ 5.0.4
├─
gl-matrix
^3.4.3
→ 3.4.4
├─
tslib
^2.5.3
→ 2.8.1
├─
fast-deep-equal
^3.1.3
→ 3.1.3
Changes from v1.6.13
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | bun | ^1.3.13 |
Script Changes
+ preinstallFile Changes
1 added
0 removed
1 modified
size delta: +487.8 KB
Risk Dispositions (0 applicable to this version, 6 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
Show 6 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
install-script:preinstall |
install-scripts | reject | AI | AI (install-scripts): Preinstall runs obfuscated index.js — malicious payload execution on install. | |
obfuscated-file:index.js |
source-diff | reject | AI | AI (source-diff): Obfuscated file is the malware payload; generalizes as a disqualifier for this package. | |
url-dep:@antv/setup |
npm-metadata | reject | AI | AI (npm-metadata): SHA-pinned GitHub optionalDep matching known supply-chain attack pattern. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher change combined with dormancy and malicious payload confirms account takeover. | |
semgrep:obfuscation-while-true |
semgrep | reject | AI | AI (semgrep): Obfuscator signature in preinstall payload; disqualifying for this package. | |
semgrep:env-spread |
semgrep | reject | AI | AI (semgrep): process.env spread in obfuscated preinstall script indicates credential harvesting. |
Review Summary
Risk score: 100 (capped from 354). Findings: 6 critical (+240), 3 high (+75), 3 medium (+30), 3 low (+9).
Published to npm: