@dazhicheng/ui
TT Monorepo 的核心 UI 组件库,基于 Vue 3 + Element Plus 封装。
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@dazhicheng/hooks | AI (dependencies): Same org scope (@dazhicheng); internal monorepo dependency, not a third-party risk. | ai | |
| source-diff | obfuscated-file:dist/index-iFd1yQ1C.js | AI (source-diff): Vite build output with hashed filename; standard minified bundle, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-iFd1yQ1C.js | AI (source-diff): Vue UI bundle naturally contains dynamic component creation and HTTP (axios); not malicious. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump from 1.0.x to 1.1.x; large dist rebuild is expected. | ai | |
| source-diff | net-exec-file:dist/index-DxTPuBYV.js | AI (source-diff): Bundled axios + Vue dynamic components trigger net+exec heuristic; normal for UI lib. | ai | |
| source-diff | obfuscated-file:dist/index-DxTPuBYV.js | AI (source-diff): Vite-bundled Vue UI component library output; minification is expected for dist files. | ai | |
| source-diff | net-exec-file:dist/index-7R1S3sB2.js | AI (source-diff): False positive on minified Vue bundle containing axios imports and dynamic component loading. | ai | |
| source-diff | obfuscated-file:dist/index-7R1S3sB2.js | AI (source-diff): Vite-minified Vue component bundle; standard build output for this UI library. | ai | |
| phantom-deps | phantom-dep:vee-validate | AI (phantom-deps): Declared runtime dep bundled into dist; consistent pattern for this UI library. | ai | |
| phantom-deps | phantom-dep:@standard-schema/spec | AI (phantom-deps): Declared runtime dep bundled into dist; consistent pattern for this UI library. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Declared runtime dep bundled into dist; not directly imported at source level — stable false positive for this UI library. | ai | |
| provenance | no-provenance | AI (provenance): Private org UI library; no provenance is consistent across all versions of this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): High-frequency monorepo publishing pattern; 159 versions in 88 days makes rapid publishes expected. | ai | |
| phantom-deps | phantom-dep:pinyin-pro | AI (phantom-deps): UI library bundles deps; phantom-dep false positive consistent with build pattern across versions. | ai | |
| phantom-deps | phantom-dep:html-to-image | AI (phantom-deps): UI library bundles deps; phantom-dep false positive consistent with build pattern across versions. | ai | |
| phantom-deps | phantom-dep:@element-plus/icons-vue | AI (phantom-deps): UI component library; icons re-exported via element-plus integration, stable false positive. | ai | |
| phantom-deps | phantom-dep:vue-router | AI (phantom-deps): UI library re-exports/peer-uses vue-router; phantom detection is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tanstack/vue-store | AI (phantom-deps): Declared dependency used indirectly via config; stable false positive for this UI library. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped UI library; name collision with uuid is a Levenshtein false positive. | ai | |
| phantom-deps | phantom-dep:@standard-schema/utils | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:@vee-validate/zod | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:@iconify/vue | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:sortablejs | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:es-toolkit | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:numeral | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts, not source imports. | ai | |
| phantom-deps | phantom-dep:@dazhicheng/utils | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:@dazhicheng/hooks | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic unreliable for bundled packages. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped UI library; name collision with yup is a Levenshtein false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped UI library; name collision with joi is a Levenshtein false positive. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped UI library; name collision with qs is a Levenshtein false positive. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped UI library; name collision with pg is a Levenshtein false positive. | ai |
Versions (showing 51 of 133)
| Version | Deps | Published |
|---|---|---|
| 1.5.150 | 13 / 7 | |
| 1.5.142 | 13 / 7 | |
| 1.5.140 | 13 / 7 | |
| 1.5.139 | 13 / 7 | |
| 1.5.133 | 13 / 7 | |
| 1.5.132 | 13 / 7 | |
| 1.5.131 | 14 / 7 | |
| 1.5.130 | 14 / 7 | |
| 1.5.129 | 14 / 7 | |
| 1.5.128 | 14 / 7 | |
| 1.5.127 | 14 / 7 | |
| 1.5.126 | 14 / 7 | |
| 1.5.125 | 14 / 7 | |
| 1.5.124 | 14 / 7 | |
| 1.5.123 | 14 / 7 | |
| 1.5.122 | 14 / 7 | |
| 1.5.121 | 13 / 7 | |
| 1.5.120 | 13 / 7 | |
| 1.5.119 | 13 / 7 | |
| 1.5.118 | 13 / 7 | |
| 1.5.117 | 13 / 7 | |
| 1.5.116 | 13 / 7 | |
| 1.5.115 | 13 / 7 | |
| 1.5.114 | 13 / 7 | |
| 1.5.113 | 12 / 7 | |
| 1.5.112 | 12 / 7 | |
| 1.5.111 | 12 / 7 | |
| 1.5.110 | 12 / 7 | |
| 1.5.109 | 12 / 7 | |
| 1.5.108 | 12 / 7 | |
| 1.5.107 | 12 / 7 | |
| 1.5.106 | 12 / 7 | |
| 1.5.105 | 12 / 7 | |
| 1.5.104 | 12 / 7 | |
| 1.5.103 | 12 / 7 | |
| 1.5.102 | 12 / 7 | |
| 1.5.101 | 12 / 7 | |
| 1.5.100 | 12 / 7 | |
| 1.5.99 | 12 / 7 | |
| 1.5.98 | 12 / 7 | |
| 1.5.97 | 12 / 7 | |
| 1.5.96 | 12 / 7 | |
| 1.5.95 | 12 / 7 | |
| 1.5.94 | 12 / 7 | |
| 1.5.93 | 12 / 7 | |
| 1.5.92 | 12 / 7 | |
| 1.5.91 | 12 / 7 | |
| 1.5.90 | 12 / 7 | |
| 1.5.89 | 12 / 7 | |
| 1.5.88 | 12 / 7 | |
| 1.5.87 | 12 / 7 |
v1.5.150
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jojo_dio) than the most recent previously approved version (zzy_t) on 2026-05-22, but jojo_dio is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.5.142
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.140
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.139
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.133
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.132
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.131
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.130
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.129
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.128
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.127
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.126
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.125
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.124
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.123
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.122
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.121
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.120
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.119
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.118
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.117
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.116
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.115
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.114
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.112
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.111
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.110
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.109
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.108
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.107
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.106
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.103
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.102
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.99
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.98
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.97
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.96
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.95
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.94
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.93
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.92
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.91
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.90
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.89
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.88
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.87
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.