← Home

@cloudflare/realtimekit-ui

npm Repository Homepage
2
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dcruz_cfjculveysejokercf-radarcf-ci-writesegments-writethibmeuxortivecf-ci2lvalentaworengathird774jasnellterinjokescelsogregbrimbleg4brymwrangler-publishercf-media-managerdash_service_accountcf-npm-publishsimonabadoiucms1919mgirouard-cfmusa-cfvaishakpdineshichernetsky-cfgabivlj-cfganders-cloudflarensharma-cfmikenomitchtlefebvre_cfnafeezcfeduardo-vargasthreepointonextuc

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-removed AI (maintainer-change): Individual maintainers removed in favor of centralized cf-npm-publish; consistent with Cloudflare automation migration. ai
source-diff obfuscated-file:dist/components/p-06494ae4.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/realtimekit-ui/p-067797c4.entry.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/components/p-0b33743b.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/realtimekit-ui/p-111881d0.entry.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/realtimekit-ui/p-1135e0f2.entry.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/realtimekit-ui/p-16cbe34d.entry.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/realtimekit-ui/p-18dd7b43.entry.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/components/p-1945dd0d.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/realtimekit-ui/p-1a53e8cd.entry.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/components/p-1d2420a8.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/components/p-1d945d79.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/components/p-1e7879b2.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/realtimekit-ui/p-25c0a5dc.entry.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff obfuscated-file:dist/components/p-2add3860.js AI (source-diff): Standard Stencil.js minified build output for Cloudflare's official UI component library. ai
source-diff large-new-source-files AI (source-diff): Large file count is expected for Stencil.js component library builds with per-component chunking. ai
provenance publisher-changed AI (provenance): Cloudflare migrated publishing to GitHub Actions CI/CD with SLSA provenance; consistent with org-level automation. ai
maintainer-change maintainer-added AI (maintainer-change): cf-npm-publish is Cloudflare's centralized npm publish account; legitimate consolidation. ai
dependencies unvetted-dep:hark AI (dependencies): hark is a legitimate audio activity detection library; stable dependency for a UI/media package like this. ai

Versions (showing 2 of 2)

Version Deps Published
1.2.0 5 / 0
1.1.2 5 / 0

v1.2.0

16 findings
HIGH Publisher changed: dash_service_account → GitHub Actions (on 2026-05-28) provenance

This version was published by a different npm account than previous versions on 2026-05-28. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/components/p-06494ae4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/realtimekit-ui/p-067797c4.entry.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/p-0b33743b.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/realtimekit-ui/p-111881d0.entry.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/realtimekit-ui/p-1135e0f2.entry.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/realtimekit-ui/p-16cbe34d.entry.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/realtimekit-ui/p-18dd7b43.entry.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/p-1945dd0d.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/realtimekit-ui/p-1a53e8cd.entry.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/p-1d2420a8.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/p-1d945d79.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/p-1e7879b2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/realtimekit-ui/p-25c0a5dc.entry.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/p-2add3860.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.