All @antv/s2 versions

@antv/s2 @2.8.1

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
100
Risk Score
MIT
License
No
Install Scripts
9
Dependencies
4
Dev Dependencies
3865.6 KB
Package Size
Published

effective spreadsheet render core lib

Maintainers

lviseifreestyle21soundquietelaine.q.10sturubysakuya223serializedowenxdzhaoyangzhanmeiwjgogogoleungwensendoriiaaronyardsimaqdxq613intchoussusan_annjinke.lilzxuearmy8735atoolbaizndengfupingneoddishjeffy2012zqluafc163pomelo-nwukopiluwakyccnuzindexpanyuqibubkoozengyuekasmineboyu.zljl1ud0ngq1newbyvectorwinniexingchenlulikn9117xdddstsemious2020esoranadia_liubbsqqmxz96102openwaynepearminipddpdyiqianyaozhanbacxxxxxnlaixingui.lxgsusiwen8yanxiongzeyuwangrainy25ghzzhangjunjie-lokiflash1yisi.wangdreammy23biupiubiupiubasketduckxuying1027banxuanpearl_wangbqxbqxbqxalex_zjtduxinyue023wang1212leondt1gaofuhong

Keywords

antvs2S2s2-corespreadsheetpivot tabletable

Dependencies (9)

PackageConstraintRegistry Status
flru ^1.0.2 auto_approved
lodash ^4.17.21 auto_approved
@antv/g ^6.3.1 auto_approved
decimal.js ^10.5.0 auto_approved
tinycolor2 ^1.6.0 auto_approved
@antv/g-lite ^2.7.0 auto_approved
@antv/vendor ^1.0.11 auto_approved
@antv/g-canvas ^2.2.0 auto_approved
@antv/event-emitter ^0.1.3 auto_approved

Dev Dependencies (4)

PackageConstraintRegistry Status
csstype ^3.1.3 auto_approved
@antv/g2 ^5.3.3 auto_approved
@types/tinycolor2 ^1.4.6 auto_approved
@testing-library/dom ^10.4.0 auto_approved

Transitive Dependency Tree

67 transitive deps max depth 4
  ├─ @antv/event-emitter ^0.1.3 → 0.1.3
  ├─ @antv/g ^6.3.1 → 6.3.1
  ├─ @antv/g-canvas ^2.2.0 → 2.2.0
  ├─ @antv/g-lite ^2.7.0 → 2.7.0
  ├─ @antv/vendor ^1.0.11 → 1.0.11
  ├─ decimal.js ^10.5.0 → 10.6.0
  ├─ flru ^1.0.2 → 1.0.2
  ├─ lodash ^4.17.21 → 4.18.1
├─ tinycolor2 ^1.6.0 → 1.6.0
  ├─ @antv/g-math 3.1.0 → 3.1.0
  ├─ @antv/util ^3.3.5 → 3.3.11
  ├─ @babel/runtime ^7.25.6 → 7.29.7
  ├─ @types/d3-array ^3.2.1 → 3.2.2
  ├─ @types/d3-color ^3.1.3 → 3.1.3
  ├─ @types/d3-dispatch ^3.0.6 → 3.0.7
  ├─ @types/d3-dsv ^3.0.7 → 3.0.7
  ├─ @types/d3-ease ^3.0.2 → 3.0.2
  ├─ @types/d3-fetch ^3.0.7 → 3.0.7
  ├─ @types/d3-force ^3.0.10 → 3.0.10
  ├─ @types/d3-format ^3.0.4 → 3.0.4
  ├─ @types/d3-geo ^3.1.0 → 3.1.0
  ├─ @types/d3-hierarchy ^3.1.7 → 3.1.7
  ├─ @types/d3-interpolate ^3.0.4 → 3.0.4
  ├─ @types/d3-path ^3.1.0 → 3.1.1
  ├─ @types/d3-quadtree ^3.0.6 → 3.0.6
  ├─ @types/d3-random ^3.0.3 → 3.0.3
  ├─ @types/d3-scale ^4.0.9 → 4.0.9
  ├─ @types/d3-scale-chromatic ^3.1.0 → 3.1.0
  ├─ @types/d3-shape ^3.1.7 → 3.1.8
  ├─ @types/d3-time ^3.0.4 → 3.0.4
  ├─ @types/d3-timer ^3.0.2 → 3.0.2
  ├─ d3-array ^3.2.4
  ├─ d3-color ^3.1.0 → 3.1.0
  ├─ d3-dispatch ^3.0.1 → 3.0.1
  ├─ d3-dsv ^3.0.1 → 3.0.1
  ├─ d3-ease ^3.0.1 → 3.0.1
  ├─ d3-fetch ^3.0.1 → 3.0.1
  ├─ d3-force ^3.0.0 → 3.0.0
  ├─ d3-force-3d ^3.0.5 → 3.0.6
  ├─ d3-format ^3.1.0 → 3.1.2
  ├─ d3-geo ^3.1.1 → 3.1.1
  ├─ d3-geo-projection ^4.0.0 → 4.0.0
  ├─ d3-hierarchy ^3.1.2 → 3.1.2
  ├─ d3-interpolate ^3.0.1 → 3.0.1
  ├─ d3-path ^3.1.0 → 3.1.0
  ├─ d3-quadtree ^3.0.1 → 3.0.1
  ├─ d3-random ^3.0.1 → 3.0.1
  ├─ d3-regression ^1.3.10 → 1.3.10
  ├─ d3-scale ^4.0.2 → 4.0.2
  ├─ d3-scale-chromatic ^3.1.0 → 3.1.0
  ├─ d3-shape ^3.2.0 → 3.2.0
  ├─ d3-time ^3.1.0 → 3.1.0
  ├─ d3-timer ^3.0.1 → 3.0.1
  ├─ eventemitter3 ^5.0.1 → 5.0.4
  ├─ gl-matrix ^3.4.3 → 3.4.4
  ├─ html2canvas ^1.4.1 → 1.4.1
├─ tslib ^2.5.3 → 2.8.1
  ├─ @types/geojson * → 7946.0.16
  ├─ commander 7 → 7.2.0
  ├─ d3-binarytree 1 → 1.0.2
  ├─ d3-octree 1 → 1.1.0
  ├─ d3-time-format 2 - 4 → 4.1.0
  ├─ fast-deep-equal ^3.1.3 → 3.1.3
  ├─ iconv-lite 0.6 → 0.6.3
├─ rw 1 → 1.3.3
  ├─ internmap 1 - 2 → 2.0.3
  ├─ safer-buffer >= 2.1.2 < 3.0.0 → 2.1.2

Changes from v2.7.1

Dependency Changes

Script Changes

+ preinstall

File Changes

1 added 0 removed 1 modified size delta: +486.9 KB

Risk Dispositions (0 applicable to this version, 5 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Show 5 disposition(s) that do not match any finding on this version
Rule Source Disposition Author Reason
regressed-provenance provenance reject AI AI (provenance): Provenance regression on a package that always published via CI is a strong compromise indicator; generalizes forward.
publisher-changed provenance reject AI AI (provenance): Publisher changed from GitHub Actions to human account atool coinciding with all other attack indicators.
install-script:preinstall install-scripts reject AI AI (install-scripts): Preinstall runs obfuscated index.js via bun — not a legitimate build step for this package.
url-dep:@antv/setup npm-metadata reject AI AI (npm-metadata): SHA-pinned GitHub optionalDependency is the exact attack vector used in the 2026 TanStack attack; not present in prior versions.
obfuscated-file:index.js source-diff reject AI AI (source-diff): Newly added heavily obfuscated file executed at preinstall is a malware payload indicator.

Review Summary

Risk score: 100 (capped from 360). Findings: 5 critical (+200), 6 high (+150), 1 medium (+10), 2 info (+0).

Published to npm: