@blocknote/block-view
A Notion-like database library for building block-based databases.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-DUIbF_V5.d.ts | AI (source-diff): Content-hashed TypeScript declaration file from bundler output; long lines are minified type declarations, not malicious. | ai | |
| source-diff | obfuscated-file:dist/react-Bz8a0lQC.js | AI (source-diff): Vite content-hashed bundle; sample shows readable ESM imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-CFMgG_Jr.d.ts | AI (source-diff): Minified TypeScript declaration file from Vite/tsdown build; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/react-CNmsd3ke.js | AI (source-diff): Standard vite bundle chunk with hashed filename; content is readable ES module imports, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index-BVeYbgmy.d.ts | AI (source-diff): TypeScript declaration file with long lines from bundled type exports; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/react-7hXxOM25.js | AI (source-diff): Standard rolldown/tsdown bundle output; readable imports visible in sample, not obfuscated. | ai | |
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): lucide-react is a declared runtime dependency; phantom-dep is a false positive here. | ai | |
| source-diff | obfuscated-file:dist/react-3ksWp5-L.js | AI (source-diff): Standard Vite/Rollup minified bundle output; long lines are from bundled React component code, not obfuscation. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 0.1.4 | 5 / 34 | |
| 0.1.3 | 5 / 34 | |
| 0.1.2 | 5 / 34 | |
| 0.1.1 | 7 / 32 | |
| 0.1.0 | 7 / 32 | |
| 0.0.17 | 7 / 30 | |
| 0.0.16 | 9 / 26 | |
| 0.0.15 | 9 / 26 | |
| 0.0.14 | 9 / 26 | |
| 0.0.13 | 9 / 26 | |
| 0.0.12 | 9 / 26 | |
| 0.0.9 | 10 / 29 | |
| 0.0.8 | 10 / 29 | |
| 0.0.6 | 10 / 29 | |
| 0.0.5 | 7 / 28 | |
| 0.0.4 | 7 / 27 | |
| 0.0.3 | 6 / 23 |
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.15
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.14
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.13
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.