@deephaven/embed-widget
Deephaven Embedded Widget
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/assets/Chart-DumqbtRO.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | net-exec-file:build/assets/vendor-DmeGBfOB.js | AI (source-diff): Bundled vendor chunk with fetch/dynamic-import patterns normal in Vite-built React apps; not dropper behavior. | ai | |
| source-diff | obfuscated-file:build/assets/plotly-BWW1QnWb.js | AI (source-diff): Standard Vite minified Plotly bundle; expected in a charting UI package. | ai | |
| source-diff | obfuscated-file:build/assets/MarkdownNotebook-CT5mNdZi.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/LogPanel-ZY8qsmKw.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/LocalWorkspaceStorage-BsMQspwg.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/IrisGridThemeProvider-DhChSHef.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/IrisGrid-DA5Ao302.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/index-DZ7zhN8J.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/index-DD0tl_L-.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/index-DcVY-C-n.js | AI (source-diff): Standard Vite minified build artifact for this UI package. | ai | |
| source-diff | obfuscated-file:build/assets/index-BqUZmu8c.js | AI (source-diff): Standard Vite minified build output; __vite__mapDeps pattern confirms legitimate bundler output. | ai | |
| source-diff | obfuscated-file:build/assets/Chart-BArci7HA.js | AI (source-diff): Standard Vite minified build output for a React/Plotly UI package; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/assets/index-h8JAVLlZ.js | AI (source-diff): Standard Vite minified build output; __vite__mapDeps pattern confirms legitimate bundler output. | ai | |
| source-diff | obfuscated-file:build/assets/index-t-G-cexS.js | AI (source-diff): Standard Vite minified build output for this package. | ai | |
| source-diff | obfuscated-file:build/assets/IrisGrid-D0z3psUk.js | AI (source-diff): Standard Vite minified build output for IrisGrid component. | ai | |
| source-diff | obfuscated-file:build/assets/IrisGridThemeProvider-CqQ8B14v.js | AI (source-diff): Standard Vite minified build output for IrisGridThemeProvider component. | ai | |
| source-diff | obfuscated-file:build/assets/LocalWorkspaceStorage-BfMcZxbo.js | AI (source-diff): Standard Vite minified build output; readable React hook patterns visible in sample. | ai | |
| source-diff | obfuscated-file:build/assets/LogPanel-C2efFHBc.js | AI (source-diff): Standard Vite minified build output; __vite__mapDeps pattern confirms legitimate bundler output. | ai | |
| source-diff | obfuscated-file:build/assets/MarkdownNotebook-BCIZqdfQ.js | AI (source-diff): Standard Vite minified build output for this package. | ai | |
| source-diff | obfuscated-file:build/assets/plotly-DczB1SvI.js | AI (source-diff): Standard Vite minified Plotly.js bundle; expected large minified file for this charting library. | ai | |
| phantom-deps | phantom-dep:@deephaven/redux | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/log | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@fontsource/fira-sans | AI (phantom-deps): Font imported via CSS/config in bundled app, not JS import. | ai | |
| phantom-deps | phantom-dep:@fontsource/fira-mono | AI (phantom-deps): Font imported via CSS/config in bundled app, not JS import. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): Same bundled-app pattern. | ai | |
| phantom-deps | phantom-dep:react-redux | AI (phantom-deps): Same bundled-app pattern. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Same bundled-app pattern as react. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled app entry point; react used via vite build config, not direct import. | ai | |
| phantom-deps | phantom-dep:@deephaven/app-utils | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/plugin | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/dashboard | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/components | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/jsapi-types | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/jsapi-utils | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/jsapi-bootstrap | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/jsapi-components | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/dashboard-core-plugins | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| phantom-deps | phantom-dep:@deephaven/utils | AI (phantom-deps): First-party sibling dep used transitively in bundled app. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established Deephaven org package; README links to official docs, not a phishing farm. | ai |
v1.21.0
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.19.0
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.18.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.