@danidoble/webserial
WebSerial API wrapper
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/kernel-chJkQxDD.cjs | AI (source-diff): Standard Vite minified build output; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:dist/kernel-9JeWIxgz.cjs | AI (source-diff): Vite-minified bundle; emulator/device logic, no obfuscation. | ai | |
| source-diff | net-exec-file:dist/webserial-core-52yJu-0N.js | AI (source-diff): Same socket.io bundle in ESM format; false positive for this build tool package. | ai | |
| source-diff | net-exec-file:dist/webserial-core-BgEbN4Gb.cjs | AI (source-diff): Network code is socket.io transport; dynamic code is FileReader/TextEncoder — no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-BgEbN4Gb.cjs | AI (source-diff): Vite-minified bundle including socket.io/engine.io parser; standard build output. | ai | |
| source-diff | obfuscated-file:dist/kernel-BEA0hNWZ.cjs | AI (source-diff): Minified Vite/Rollup bundle output; emulator/kernel logic, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/webserial-core-Bn6Ker2l.js | AI (source-diff): Same engine.io-parser bundle as ESM variant; legitimate build artifact. | ai | |
| source-diff | net-exec-file:dist/webserial-core-DizZyWun.cjs | AI (source-diff): Network code is socket.io/engine.io parser from webserial-core dep; no dynamic code execution beyond standard WebSocket handling. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-DizZyWun.cjs | AI (source-diff): Bundled webserial-core devDependency (socket.io/engine.io parser); standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/jsd.cjs | AI (source-diff): Minified Vite/Rollup bundle output; serial device command logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/relay-E3NCcSjS.cjs | AI (source-diff): Vite-minified CJS bundle; content is relay/boardroid serial command logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-BNx2y6fr.cjs | AI (source-diff): Vite-minified CJS bundle; content is EventTarget/device-registry core logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/kernel-BaX0x8ws.cjs | AI (source-diff): Vite-minified CJS bundle; content is emulator/kernel device logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/kernel-CR94n4kR.cjs | AI (source-diff): Vite-bundled minified output; content is device emulator logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-DE33mmiR.cjs | AI (source-diff): Vite bundle of webserial-core devDependency; socket.io protocol parsing, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/webserial-core-DE33mmiR.cjs | AI (source-diff): Network calls are WebSocket/serial API; dynamic dispatch is bundler pattern, not dropper. | ai | |
| source-diff | net-exec-file:dist/webserial-core-DdCTPQZr.js | AI (source-diff): Same bundled webserial-core content in ESM format; no malicious network+exec pattern. | ai | |
| source-diff | obfuscated-file:dist/kernel-DlsHh4AG.cjs | AI (source-diff): Vite-minified CJS bundle; content is clearly vending machine kernel logic, not malicious. | ai | |
| source-diff | obfuscated-file:dist/kernel-D8A562gb.cjs | AI (source-diff): Standard Vite minified bundle output; content matches documented WebSerial vending API. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-5B5nYtyR.cjs | AI (source-diff): Standard Vite minified build output; content is readable WebSerial core event/device logic. | ai | |
| source-diff | obfuscated-file:dist/kernel-CzkmE_OW.cjs | AI (source-diff): Standard Vite minified build output; content is readable kernel/vending device logic. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-N14HUamr.cjs | AI (source-diff): Standard Vite minified build output; content matches package's vending-machine serial API purpose. | ai | |
| source-diff | obfuscated-file:dist/relay-DGFymXOw.cjs | AI (source-diff): Standard Vite minified build output; content matches package's vending-machine serial API purpose. | ai | |
| source-diff | obfuscated-file:dist/kernel-BTsfPyB9.cjs | AI (source-diff): Standard Vite minified build output; content matches package's vending-machine serial API purpose. | ai | |
| source-diff | obfuscated-file:dist/kernel-BTqvt4pt.cjs | AI (source-diff): Vite-minified CJS bundle; readable domain logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/kernel-Bd3IuxSw.cjs | AI (source-diff): Standard Vite minified build output; content is readable vending machine kernel logic with no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-DlH0cFSH.cjs | AI (source-diff): Standard Vite minified build output; content is readable EventTarget/WebSerial core logic with no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/hopper.cjs | AI (source-diff): Standard Vite minified build output; content is readable WebSerial/hopper device logic with no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/kernel-BxvweHTG.cjs | AI (source-diff): Vite build output with hashed chunk names; minification is expected for this package's dist artifacts. | ai | |
| source-diff | obfuscated-file:dist/kernel-Dv8bd_hz.cjs | AI (source-diff): Vite minified build output; sample shows legitimate WebSerial wrapper logic, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kernel-g4zSg1Ll.cjs | AI (source-diff): Minified Vite build output; content is recognizable WebSerial/emulator logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/webserial-core-D49c459A.cjs | AI (source-diff): Minified bundle of webserial-core devDependency; engine.io protocol code, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/webserial-core-D49c459A.cjs | AI (source-diff): Network calls are socket.io transport; dynamic code execution is standard FileReader/TextEncoder usage in bundled library. | ai | |
| source-diff | net-exec-file:dist/webserial-core-CiU9IcKf.js | AI (source-diff): Same engine.io bundle as ESM variant; no dropper/loader patterns present. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 4.5.0 | 0 / 15 | |
| 4.4.8 | 0 / 15 | |
| 4.4.7 | 0 / 15 | |
| 4.4.6 | 0 / 15 | |
| 4.4.5 | 0 / 15 | |
| 4.4.4 | 0 / 15 | |
| 4.4.3 | 0 / 15 | |
| 4.4.2 | 0 / 15 | |
| 4.4.1 | 0 / 15 | |
| 4.4.0 | 0 / 15 | |
| 4.3.13 | 0 / 13 | |
| 4.3.12 | 0 / 13 | |
| 4.3.11 | 0 / 13 | |
| 4.3.10 | 0 / 13 | |
| 4.3.9 | 0 / 13 | |
| 4.3.8 | 0 / 13 | |
| 4.3.7 | 0 / 13 | |
| 4.3.6 | 0 / 13 | |
| 4.3.5 | 0 / 13 | |
| 4.3.4 | 0 / 13 | |
| 4.3.3 | 0 / 13 | |
| 4.3.2 | 0 / 13 | |
| 4.3.1 | 0 / 13 | |
| 4.3.0 | 0 / 13 | |
| 4.2.16 | 0 / 13 | |
| 4.2.15 | 0 / 13 | |
| 4.2.14 | 0 / 13 | |
| 4.2.13 | 0 / 13 | |
| 4.2.12 | 0 / 13 | |
| 4.2.11 | 0 / 13 | |
| 4.2.10 | 0 / 13 | |
| 4.2.9 | 0 / 13 | |
| 4.2.8 | 0 / 13 | |
| 4.2.7 | 0 / 13 | |
| 4.2.6 | 0 / 13 | |
| 4.2.5 | 0 / 13 | |
| 4.2.4 | 0 / 13 |
v4.5.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.6
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.5
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.13
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.12
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.11
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.10
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.9
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.8
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.7
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.6
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.5
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.4
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.3
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.16
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.15
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.14
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.13
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.12
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.11
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.