@crystaldesign/content-box
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/esm/index-76c770eb.js | AI (source-diff): Normal minified ESM bundle output; readable imports and no actual obfuscation patterns. | ai | |
| source-diff | obfuscated-file:build/esm/index-073f2abc.js | AI (source-diff): Normal minified ESM bundle output; readable imports and no actual obfuscation patterns. | ai | |
| source-diff | net-exec-file:build/umd/104.content-box.umd.min.js | AI (source-diff): Standard webpack UMD chunk for AR/model-viewer component; network calls load 3D model URLs, not malware dropper behavior. | ai | |
| source-diff | net-exec-file:build/umd/433.content-box.umd.min.js | AI (source-diff): Webpack-bundled AR viewer component; network calls are model-viewer src attribute, not fetch+eval dropper pattern. | ai | |
| source-diff | obfuscated-file:build/esm/index-f06a844c.js | AI (source-diff): Standard minified webpack/babel build output for a React UI component library; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:build/esm/index-187e3e50.js | AI (source-diff): Standard minified webpack/babel build output for a React UI component library; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:build/esm/index-f18aae77.js | AI (source-diff): Standard minified ESM bundle output for a React component library; no malicious indicators. | ai | |
| source-diff | obfuscated-file:build/esm/index-1136cd18.js | AI (source-diff): Standard minified ESM bundle output for a React component library; no malicious indicators. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Internal scoped package; missing description is consistent across its 3189 versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Private scoped package (@crystaldesign) — no repo/description is expected for internal component libraries. | ai | |
| phantom-deps | phantom-dep:three | AI (phantom-deps): three.js is a known 3D library; likely used transitively via @google/model-viewer or bundled config. | ai | |
| phantom-deps | phantom-dep:@google/model-viewer | AI (phantom-deps): @google/model-viewer is a declared dependency; phantom-dep heuristic false positive for this component library. | ai | |
| phantom-deps | phantom-dep:react-laag | AI (phantom-deps): react-laag is a declared dependency; phantom-dep heuristic false positive for this component library. | ai | |
| phantom-deps | phantom-dep:rc-slider | AI (phantom-deps): rc-slider is a declared dependency; phantom-dep heuristic false positive for this component library. | ai |
Versions (showing 35 of 35)
| Version | Deps | Published |
|---|---|---|
| 26.5.0 | 8 / 5 | |
| 26.4.8 | 8 / 5 | |
| 26.4.7 | 8 / 5 | |
| 26.4.6 | 8 / 5 | |
| 26.4.5 | 8 / 5 | |
| 26.4.4 | 8 / 5 | |
| 26.4.3 | 8 / 5 | |
| 26.4.2 | 8 / 5 | |
| 26.4.1 | 8 / 5 | |
| 26.4.0 | 8 / 5 | |
| 26.3.2 | 8 / 5 | |
| 26.3.1 | 8 / 5 | |
| 26.3.0 | 8 / 5 | |
| 26.2.4 | 8 / 5 | |
| 26.2.3 | 8 / 5 | |
| 26.2.2 | 8 / 5 | |
| 26.2.1 | 8 / 5 | |
| 26.2.0 | 8 / 5 | |
| 26.1.2 | 8 / 5 | |
| 26.1.1 | 8 / 5 | |
| 26.1.0 | 8 / 5 | |
| 25.16.2 | 8 / 5 | |
| 25.16.1 | 8 / 5 | |
| 25.16.0 | 8 / 5 | |
| 25.14.4 | 8 / 5 | |
| 25.14.3 | 8 / 5 | |
| 25.14.2 | 8 / 5 | |
| 25.14.1 | 8 / 5 | |
| 25.14.0 | 8 / 5 | |
| 25.13.7 | 8 / 5 | |
| 25.13.6 | 8 / 5 | |
| 25.13.5 | 8 / 5 | |
| 25.13.4 | 8 / 5 | |
| 25.13.3 | 8 / 5 | |
| 25.13.2 | 8 / 5 |
v26.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.3.1
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.3.0
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.1.1
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.1.0
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.16.2
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.16.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.16.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.14.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.14.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.14.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.14.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.14.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.