@dazhicheng/ui
TT Monorepo 的核心 UI 组件库,基于 Vue 3 + Element Plus 封装。
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@dazhicheng/hooks | AI (dependencies): Same org scope (@dazhicheng); internal monorepo dependency, not a third-party risk. | ai | |
| source-diff | obfuscated-file:dist/index-iFd1yQ1C.js | AI (source-diff): Vite build output with hashed filename; standard minified bundle, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-iFd1yQ1C.js | AI (source-diff): Vue UI bundle naturally contains dynamic component creation and HTTP (axios); not malicious. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump from 1.0.x to 1.1.x; large dist rebuild is expected. | ai | |
| source-diff | net-exec-file:dist/index-DxTPuBYV.js | AI (source-diff): Bundled axios + Vue dynamic components trigger net+exec heuristic; normal for UI lib. | ai | |
| source-diff | obfuscated-file:dist/index-DxTPuBYV.js | AI (source-diff): Vite-bundled Vue UI component library output; minification is expected for dist files. | ai | |
| source-diff | net-exec-file:dist/index-7R1S3sB2.js | AI (source-diff): False positive on minified Vue bundle containing axios imports and dynamic component loading. | ai | |
| source-diff | obfuscated-file:dist/index-7R1S3sB2.js | AI (source-diff): Vite-minified Vue component bundle; standard build output for this UI library. | ai | |
| phantom-deps | phantom-dep:vee-validate | AI (phantom-deps): Declared runtime dep bundled into dist; consistent pattern for this UI library. | ai | |
| phantom-deps | phantom-dep:@standard-schema/spec | AI (phantom-deps): Declared runtime dep bundled into dist; consistent pattern for this UI library. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Declared runtime dep bundled into dist; not directly imported at source level — stable false positive for this UI library. | ai | |
| provenance | no-provenance | AI (provenance): Private org UI library; no provenance is consistent across all versions of this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): High-frequency monorepo publishing pattern; 159 versions in 88 days makes rapid publishes expected. | ai | |
| phantom-deps | phantom-dep:pinyin-pro | AI (phantom-deps): UI library bundles deps; phantom-dep false positive consistent with build pattern across versions. | ai | |
| phantom-deps | phantom-dep:html-to-image | AI (phantom-deps): UI library bundles deps; phantom-dep false positive consistent with build pattern across versions. | ai | |
| phantom-deps | phantom-dep:@element-plus/icons-vue | AI (phantom-deps): UI component library; icons re-exported via element-plus integration, stable false positive. | ai | |
| phantom-deps | phantom-dep:vue-router | AI (phantom-deps): UI library re-exports/peer-uses vue-router; phantom detection is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tanstack/vue-store | AI (phantom-deps): Declared dependency used indirectly via config; stable false positive for this UI library. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped UI library; name collision with uuid is a Levenshtein false positive. | ai | |
| phantom-deps | phantom-dep:@standard-schema/utils | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:@vee-validate/zod | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:@iconify/vue | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:sortablejs | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:es-toolkit | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts. | ai | |
| phantom-deps | phantom-dep:numeral | AI (phantom-deps): Bundled ESM output; phantom-dep heuristic fires on build artifacts, not source imports. | ai | |
| phantom-deps | phantom-dep:@dazhicheng/utils | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:@dazhicheng/hooks | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic unreliable for bundled packages. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped UI library; name collision with yup is a Levenshtein false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped UI library; name collision with joi is a Levenshtein false positive. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped UI library; name collision with qs is a Levenshtein false positive. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped UI library; name collision with pg is a Levenshtein false positive. | ai |
Versions (showing 33 of 134)
| Version | Deps | Published |
|---|---|---|
| 1.5.33 | 12 / 6 | |
| 1.5.32 | 12 / 6 | |
| 1.5.31 | 12 / 6 | |
| 1.5.30 | 12 / 6 | |
| 1.5.29 | 12 / 6 | |
| 1.5.28 | 12 / 6 | |
| 1.5.27 | 12 / 6 | |
| 1.5.26 | 12 / 6 | |
| 1.5.25 | 21 / 6 | |
| 1.5.24 | 21 / 6 | |
| 1.5.23 | 21 / 6 | |
| 1.5.22 | 21 / 6 | |
| 1.5.20 | 21 / 6 | |
| 1.5.19 | 21 / 6 | |
| 1.5.18 | 21 / 6 | |
| 1.5.17 | 21 / 6 | |
| 1.5.16 | 21 / 6 | |
| 1.5.15 | 21 / 6 | |
| 1.5.14 | 21 / 6 | |
| 1.5.13 | 21 / 6 | |
| 1.5.12 | 21 / 6 | |
| 1.5.11 | 21 / 6 | |
| 1.5.10 | 21 / 6 | |
| 1.5.9 | 21 / 6 | |
| 1.5.8 | 21 / 6 | |
| 1.4.20 | 23 / 6 | |
| 1.4.2 | 18 / 6 | |
| 1.0.8 | 17 / 5 | |
| 1.0.7 | 15 / 5 | |
| 1.0.6 | 15 / 5 | |
| 1.0.5 | 12 / 5 | |
| 1.0.4 | 12 / 5 | |
| 1.0.3 | 12 / 5 |
v1.5.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.