@baseplate-dev/plugin-rate-limit
Contains the rate limiting plugin for Baseplate
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/web/assets/__federation_shared_@baseplate-dev/project-builder-lib-BEoACZXa.js | AI (source-diff): Standard Vite module-federation minified bundle; source maps included, consistent with build tooling. | ai | |
| source-diff | obfuscated-file:dist/web/assets/__federation_shared_@baseplate-dev/ui-components-B07HCOxC.js | AI (source-diff): Standard Vite module-federation minified bundle; source maps included, consistent with build tooling. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI/CD publisher with SLSA provenance attestation; legitimate automation migration. | ai | |
| source-diff | obfuscated-file:dist/web/assets/__federation_shared_@baseplate-dev/project-builder-lib-DQAPSZRY.js | AI (source-diff): Standard Vite module-federation minified bundle; readable library code visible in sample, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/web/assets/__federation_shared_@baseplate-dev/ui-components-MqpmUdhv.js | AI (source-diff): Standard Vite module-federation minified bundle; readable library code (clsx, tailwind-merge) visible in sample. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Intentional placeholder stub in a monorepo; no-deps and tiny payload are expected for early 0.0.1 scaffolding releases. | ai | |
| phantom-deps | phantom-dep:@baseplate-dev/utils | AI (phantom-deps): Same-org dep declared in dependencies; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:react-hook-form | AI (phantom-deps): Declared runtime dep used in Vite-bundled output; not a phantom dependency. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Declared runtime dep used in Vite-bundled output; not a phantom dependency. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.6.9 | 11 / 17 | |
| 0.6.8 | 11 / 17 | |
| 0.6.7 | 11 / 17 | |
| 0.0.1 | 0 / 0 |
v0.6.8
4 findingsThis version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.7
4 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.