@contentful/live-preview
Preview SDK for both the field tagging connection + live content updates
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/src-Dd1bV8rx.js | AI (source-diff): ESM counterpart of the CJS bundle; same legitimate SDK code. | ai | |
| source-diff | net-exec-file:dist/src-BVzLNsbv.cjs | AI (source-diff): Bundled SDK with fetch calls and dynamic requires; expected for a live-preview SDK. | ai | |
| source-diff | obfuscated-file:dist/src-BVzLNsbv.cjs | AI (source-diff): Minified CJS bundle from rolldown; standard for this package's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/src-CwJyHRfo.cjs | AI (source-diff): CJS bundle minified by rolldown; standard build output for this package. | ai | |
| source-diff | net-exec-file:dist/src-CTjB7PIV.js | AI (source-diff): ESM bundle counterpart; same rolldown output with network + dynamic patterns from SDK logic. | ai | |
| source-diff | net-exec-file:dist/src-CwJyHRfo.cjs | AI (source-diff): Bundled SDK with network calls (fetch for CMS) and dynamic require shims; not malicious. | ai | |
| source-diff | obfuscated-file:dist/src-BAzzj2P1.cjs | AI (source-diff): Minified CJS bundle from rolldown; stega encoding is part of live-preview tagging feature. | ai | |
| source-diff | net-exec-file:dist/src-BAzzj2P1.cjs | AI (source-diff): Bundled CJS output; network+exec pattern is from bundled dependencies, not malware. | ai | |
| source-diff | net-exec-file:dist/src-DmYUaDf4.js | AI (source-diff): ESM bundle counterpart; same benign bundled code as CJS variant. | ai | |
| source-diff | obfuscated-file:dist/src-gyVL5-Kj.cjs | AI (source-diff): Minified rolldown bundle output; standard for this package's build pipeline. | ai | |
| source-diff | net-exec-file:dist/src-w-hF_slJ.js | AI (source-diff): ESM bundle counterpart; same legitimate live-preview network calls. | ai | |
| source-diff | net-exec-file:dist/src-gyVL5-Kj.cjs | AI (source-diff): Bundle contains fetch/WebSocket for live preview SDK functionality, not malware. | ai | |
| phantom-deps | phantom-dep:lodash.isequal | AI (phantom-deps): Same pattern — declared peer/config dep in Contentful SDK monorepo. | ai | |
| phantom-deps | phantom-dep:json-pointer | AI (phantom-deps): Same pattern — declared peer/config dep in Contentful SDK monorepo. | ai | |
| phantom-deps | phantom-dep:flatted | AI (phantom-deps): Monorepo SDK; declared deps used transitively or in config, not a real phantom risk. | ai | |
| phantom-deps | phantom-dep:graphql-tag | AI (phantom-deps): Same pattern — declared peer/config dep in Contentful SDK monorepo. | ai | |
| phantom-deps | phantom-dep:@contentful/rich-text-types | AI (phantom-deps): Same-org peer dep; stable false positive for this package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 4.10.7 | 6 / 14 | |
| 4.10.4 | 6 / 14 | |
| 4.10.3 | 6 / 14 | |
| 4.10.2 | 6 / 14 | |
| 4.10.1 | 6 / 14 | |
| 4.10.0 | 6 / 14 | |
| 4.9.13 | 6 / 14 | |
| 4.9.12 | 6 / 14 | |
| 4.6.53 | 6 / 14 | |
| 4.6.18 | 6 / 14 | |
| 4.6.17 | 6 / 14 | |
| 4.6.16 | 6 / 14 |
v4.10.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.53
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.