@cubejs-client/playground
<p align="center"><a href="https://cube.dev"><img src="https://i.imgur.com/zYHXm4o.png" alt="Cube.js" width="300px"></a></p>
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/assets/index-BHMORpvF.js | AI (source-diff): Network calls and dynamic code in a browser-targeted React bundle are normal; no malware indicators in the sample. | ai | |
| source-diff | obfuscated-file:build/assets/index-BHMORpvF.js | AI (source-diff): Standard Vite-bundled React app output; minification is expected for this playground package. | ai | |
| dependencies | unvetted-dep:flexsearch | AI (dependencies): flexsearch is a legitimate open-source search library; stable dependency for this package. | ai | |
| source-diff | obfuscated-file:build/assets/index-D6_ZO5b0.js | AI (source-diff): Standard Vite-minified SPA bundle; content is React production boilerplate, not obfuscated malware. | ai | |
| source-diff | net-exec-file:build/assets/index-D6_ZO5b0.js | AI (source-diff): Network calls and dynamic code in a browser SPA bundle are expected; no dropper pattern in the sample. | ai | |
| source-diff | net-exec-file:build/assets/index-Cq-vQO9J.js | AI (source-diff): Network calls and dynamic code in a browser bundle are normal React app patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:build/assets/index-Cq-vQO9J.js | AI (source-diff): Standard Vite-bundled frontend build artifact for the Cube.js playground; minification is expected. | ai | |
| source-diff | obfuscated-file:build/assets/index-BR9mlzFM.js | AI (source-diff): Vite-bundled frontend asset; minification is expected for this playground UI package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get in a bundled antd/pagination CSS-in-JS file; not an evasion technique. | ai | |
| source-diff | net-exec-file:build/assets/index-BR9mlzFM.js | AI (source-diff): Network calls and dynamic code in bundled React app are normal; no exfiltration pattern visible in sample. | ai | |
| source-diff | net-exec-file:build/assets/index-DnbPXUAR.js | AI (source-diff): Network calls and dynamic code in bundled frontend JS are normal for a React playground app; no malware indicators in sample. | ai | |
| source-diff | obfuscated-file:build/assets/index-DnbPXUAR.js | AI (source-diff): Standard Vite-bundled frontend build artifact; minification is expected for this playground package. | ai | |
| source-diff | obfuscated-file:build/assets/index-Dp9g9mH4.js | AI (source-diff): Standard Vite-bundled React SPA output; minification is expected for this playground package. | ai | |
| source-diff | net-exec-file:build/assets/index-Dp9g9mH4.js | AI (source-diff): Network calls and dynamic execution are normal in a bundled browser SPA; no dropper pattern present. | ai | |
| phantom-deps | phantom-dep:recursive-readdir | AI (phantom-deps): Build script usage; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:customize-cra | AI (phantom-deps): Build config usage; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:graphql-ws | AI (phantom-deps): Used via dynamic import or config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-is | AI (phantom-deps): Peer/transitive usage pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:moment | AI (phantom-deps): Likely used transitively or in config; stable false positive for this package. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): Fetch is gated on a specific pathname (/playground/live-preview/start) and only calls window.close(); benign UI lifecycle code. | ai | |
| phantom-deps | phantom-dep:less | AI (phantom-deps): Build-time CSS tooling; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:vite-plugin-environment | AI (phantom-deps): Vite config usage; stable false positive for this package. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 1.6.52 | 32 / 29 | |
| 1.6.51 | 32 / 29 | |
| 1.6.50 | 32 / 29 | |
| 1.6.49 | 32 / 29 | |
| 1.6.48 | 32 / 29 | |
| 1.6.47 | 32 / 29 | |
| 1.6.46 | 32 / 29 | |
| 1.6.45 | 32 / 29 | |
| 1.6.42 | 32 / 29 | |
| 1.6.41 | 32 / 29 | |
| 1.6.40 | 32 / 29 | |
| 1.6.39 | 32 / 29 | |
| 1.6.38 | 32 / 29 | |
| 1.6.37 | 32 / 29 | |
| 1.6.36 | 32 / 29 | |
| 1.6.35 | 32 / 29 | |
| 1.6.34 | 32 / 29 | |
| 1.6.33 | 32 / 29 | |
| 1.6.32 | 33 / 30 |
v1.6.52
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.49
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.47
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.42
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.41
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.40
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.39
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.38
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.37
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.36
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.35
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.34
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.33
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.