← Home

@brad-frost-web/eddie-recipes

npm

Recipe components for the Eddie Design System — compositions and product-specific components built on top of the core library

17
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

brad_frostinf5000

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:recipes/tools/theme-customizer/theme-customizer.js AI (source-diff): Long lines are minified CSS-in-JS strings in a Vite build output; not obfuscation. ai
source-diff obfuscated-file:recipes/example-form/example-form.js AI (source-diff): Long line is an inlined CSS string in a Vite build output; not obfuscation. ai
source-diff obfuscated-file:recipes/common/example-form/example-form.js AI (source-diff): Long lines are inlined CSS strings from Vite build output, not obfuscation; stable pattern for this design system package. ai
source-diff obfuscated-file:cdn/chunks/text-passage.G9_ljtp-.js AI (source-diff): Vite-minified CDN chunk; readable CSS and web component code, no malicious patterns. ai
source-diff obfuscated-file:cdn/chunks/logo.D25eRK-V.js AI (source-diff): Vite CDN build output; minified CSS-in-JS and Web Component code, no malicious patterns. ai
source-diff obfuscated-file:cdn/recipes/common/site-header/site-header.js AI (source-diff): Vite CDN build output; minified CSS-in-JS and Web Component code, no malicious patterns. ai
source-diff obfuscated-file:cdn/chunks/text-passage.TK-DUTMH.js AI (source-diff): Vite CDN build output; minified CSS-in-JS and Web Component code, no malicious patterns. ai
phantom-deps phantom-dep:sass AI (phantom-deps): sass is a build-time dep used by Vite config, not directly imported in source. ai
phantom-deps phantom-dep:classnames AI (phantom-deps): classnames referenced in config/build context; stable false positive for this package. ai
source-diff obfuscated-file:cdn/chunks/heading.BKt6y_up.js AI (source-diff): Vite CDN build output; minified CSS-in-JS and Web Component code, no malicious patterns. ai
source-diff obfuscated-file:cdn/recipes/common/example-form/example-form.js AI (source-diff): Vite CDN build output; minified but readable Web Component code, no malicious patterns. ai
source-diff obfuscated-file:cdn/chunks/button.PimTrc0N.js AI (source-diff): Vite CDN build output; minified but readable Web Component code, no malicious patterns. ai

Versions (showing 17 of 17)

Version Deps Published
0.33.0 3 / 8
0.32.0 3 / 8
0.31.0 3 / 8
0.30.0 3 / 8
0.29.0 3 / 8
0.28.0 3 / 8
0.27.1 3 / 8
0.27.0 3 / 8
0.26.0 3 / 8
0.25.0 3 / 8
0.20.0 3 / 8
0.19.4 3 / 8
0.19.3 3 / 8
0.19.2 3 / 8
0.19.1 3 / 8
0.19.0 3 / 8
0.18.0 3 / 8

v0.33.0

2 findings
HIGH New obfuscated file: recipes/tools/theme-customizer/theme-customizer.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.32.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.30.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.29.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.27.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.27.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.26.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.4

2 findings
HIGH New obfuscated file: recipes/common/example-form/example-form.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.1

2 findings
HIGH New obfuscated file: recipes/example-form/example-form.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.18.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.