@dathra/components MPL-2.0 10 versions

@dathra/components

npm Repository Homepage

Web Components high-level API for Dathra framework

10

Versions

MPL-2.0

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

takuma-ru

Keywords

dathraweb-componentscustom-elementsshadow-domframeworkfrontendjavascripttypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/implementation-CSedSfgD.mjs	AI (source-diff): Standard tsdown build output; minified but fully readable logic, no malicious patterns.	ai	2026/05/13
provenance	publisher-changed	AI (provenance): Package explicitly uses GitHub Actions CI/CD with SLSA provenance; automated publisher is expected and attested.	ai	2026/04/28
license	weak-copyleft-license:MPL-2.0	AI (license): MPL-2.0 is the declared license for the dathra framework; stable across versions.	ai	2026/04/28

Versions (showing 10 of 10)

Version	Deps	Published
0.0.22	4 / 7	2026-05-28
0.0.21	4 / 7	2026-05-15
0.0.20	4 / 7	2026-05-14
0.0.19	4 / 7	2026-05-13
0.0.18	4 / 7	2026-05-06
0.0.17	4 / 7	2026-04-30
0.0.16	4 / 7	2026-04-26
0.0.15	4 / 7	2026-04-26
0.0.14	4 / 7	2026-04-26
0.0.13	4 / 7	2026-04-25

v0.0.22

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.21

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.20

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.19

2 findings

HIGH New obfuscated file: dist/implementation-CSedSfgD.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.18

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.17

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.16

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.15

2 findings

HIGH Publisher changed: takuma-ru → GitHub Actions (on 2026-04-26) provenance

This version was published by a different npm account than previous versions on 2026-04-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.14

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.