@builder.io/buildercode
Builder.io CLI - AI-powered code generation
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/acorn-BCI9AQ0E.mjs | AI (source-diff): Bundled prettier/acorn plugin; minified output is expected for vendored deps in a zero-dep CLI. | ai | |
| source-diff | obfuscated-file:dist/estree-CgdzE8gH.mjs | AI (source-diff): Bundled prettier/estree plugin; minified output expected. | ai | |
| source-diff | obfuscated-file:dist/flow-D1gsdMxu.mjs | AI (source-diff): Bundled prettier/flow plugin; minified output expected. | ai | |
| source-diff | obfuscated-file:dist/markdown-BTLkiI5V.mjs | AI (source-diff): Bundled prettier/markdown plugin; minified output expected. | ai | |
| source-diff | obfuscated-file:dist/prettier-CsKe7eLt.mjs | AI (source-diff): Bundled prettier core; minified output expected. | ai | |
| source-diff | obfuscated-file:dist/typescript-Bn7HrZX2.mjs | AI (source-diff): Bundled prettier/typescript plugin; minified output expected. | ai | |
| source-diff | obfuscated-file:dist/credentials-SaXJHIEz.mjs | AI (source-diff): Bundled credentials module; minified output expected for vendored CLI. | ai | |
| source-diff | net-exec-file:dist/credentials-SaXJHIEz.mjs | AI (source-diff): Credential management module legitimately uses network + child_process. | ai | |
| source-diff | obfuscated-file:dist/acorn-BonmCTAJ.mjs | AI (source-diff): Bundled prettier/acorn plugin; minified third-party code expected in CLI bundle. | ai | |
| source-diff | obfuscated-file:dist/estree-CAgaf7UR.mjs | AI (source-diff): Bundled prettier/estree plugin; minified third-party code expected in CLI bundle. | ai | |
| source-diff | obfuscated-file:dist/flow-Ce6pv9iw.mjs | AI (source-diff): Bundled prettier/flow plugin; minified third-party code expected in CLI bundle. | ai | |
| source-diff | obfuscated-file:dist/markdown-CuCx1VGJ.mjs | AI (source-diff): Bundled prettier/markdown plugin; minified third-party code expected in CLI bundle. | ai | |
| source-diff | obfuscated-file:dist/prettier-DAas3PVW.mjs | AI (source-diff): Bundled prettier core; minified third-party code expected in CLI bundle. | ai | |
| source-diff | obfuscated-file:dist/typescript-CufX_w35.mjs | AI (source-diff): Bundled prettier/typescript plugin; minified third-party code expected in CLI bundle. | ai | |
| source-diff | obfuscated-file:dist/cli.mjs | AI (source-diff): Main CLI bundle; minified output expected for a bundled CLI tool. | ai | |
| source-diff | obfuscated-file:dist/credentials-F6FpuRmX.mjs | AI (source-diff): Bundled credentials module for CLI auth; minified output expected. | ai | |
| source-diff | net-exec-file:dist/cli.mjs | AI (source-diff): CLI tool legitimately uses network + child_process for code generation workflows. | ai | |
| source-diff | net-exec-file:dist/credentials-F6FpuRmX.mjs | AI (source-diff): Credentials module legitimately uses network + exec for auth flows. | ai | |
| source-diff | large-new-source-files | AI (source-diff): CLI bundle ships many chunked files; expected for a large bundled tool. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.5.2 | 0 / 0 | |
| 0.5.0 | 0 / 0 | |
| 0.4.20 | 0 / 0 | |
| 0.4.19 | 0 / 0 | |
| 0.4.18 | 0 / 0 | |
| 0.4.17 | 0 / 0 | |
| 0.4.15 | 0 / 0 | |
| 0.4.14 | 0 / 0 | |
| 0.4.12 | 0 / 0 | |
| 0.4.11 | 0 / 0 | |
| 0.4.9 | 0 / 0 | |
| 0.4.6 | 0 / 0 | |
| 0.4.5 | 0 / 0 | |
| 0.4.4 | 0 / 0 | |
| 0.4.3 | 0 / 0 | |
| 0.4.2 | 0 / 0 | |
| 0.4.1 | 0 / 0 | |
| 0.4.0 | 0 / 0 | |
| 0.3.12 | 0 / 0 | |
| 0.3.11 | 0 / 0 |
v0.5.2
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.20
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.