@cordisjs/plugin-market
Plugin market for Cordis
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-ik8ne0d1.js | AI (source-diff): Minified Vite/Rollup bundle for a WebUI plugin; long lines are standard bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-chpiouhr.js | AI (source-diff): Hashed Vite/Rollup bundle for WebUI client; minified but not obfuscated, stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-d9rg5z8a.js | AI (source-diff): Standard Vite/Vue bundled frontend output; long lines are minified JS, not obfuscation. Stable pattern for this WebUI plugin. | ai | |
| source-diff | obfuscated-file:dist/index-m78720hp.js | AI (source-diff): Hash-named Vite/Rollup bundle; minified Vue frontend code, not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-k0iqe0e3.js | AI (source-diff): Vite-bundled frontend asset with readable imports and i18n strings; minified output, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-c1iwdeo6.js | AI (source-diff): Minified frontend bundle for Cordis WebUI plugin; content is readable Vue/i18n code, not obfuscated malware. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 0.5.0 | 4 / 14 | |
| 0.4.0 | 4 / 14 | |
| 0.3.2 | 4 / 14 | |
| 0.3.1 | 4 / 14 | |
| 0.3.0 | 4 / 14 | |
| 0.2.4 | 4 / 16 | |
| 0.2.3 | 4 / 16 | |
| 0.2.2 | 4 / 16 | |
| 0.2.1 | 4 / 7 | |
| 0.2.0 | 4 / 7 | |
| 0.1.0 | 4 / 7 |
v0.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.