@deviceinsight/ng-ui-scale-lib

CI/CD is running with gitlab pipelines. The configuration is located in the file `.gitlab-ci.yml`. The `gitlab-ci.yml` file contains two jobs:

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ihestefanhudelmaiertrolfdidaniel_mohr_di

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/setTitle-Cyf8DxtL.js	AI (source-diff): Vite-bundled minified output of a React component library; standard build artifact.	ai	2026/05/21
dependencies	unvetted-dep:powerbi-client	AI (dependencies): powerbi-client is Microsoft's official Power BI client library.	ai	2026/05/21
dependencies	unvetted-dep:react-flip-toolkit	AI (dependencies): react-flip-toolkit is a well-known animation library with no risk indicators.	ai	2026/05/21
dependencies	unvetted-dep:react-select-event	AI (dependencies): react-select-event is a standard testing utility for react-select.	ai	2026/05/21
dependencies	unvetted-dep:powerbi-client-react	AI (dependencies): powerbi-client-react is Microsoft's official React wrapper for Power BI.	ai	2026/05/21
dependencies	unvetted-dep:node-js-marker-clusterer	AI (dependencies): node-js-marker-clusterer is a known Google Maps marker clustering library.	ai	2026/05/21
dependencies	unvetted-dep:vis	AI (dependencies): vis is a well-known data visualization library; no malware indicators.	ai	2026/05/21
dependencies	unvetted-dep:masonic	AI (dependencies): masonic is a legitimate React virtualized masonry library.	ai	2026/05/21
phantom-deps	phantom-dep:react-select-event	AI (phantom-deps): Declared in dependencies; phantom-dep heuristic false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:node-js-marker-clusterer	AI (phantom-deps): Declared in dependencies; phantom-dep heuristic false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:codemirror	AI (phantom-deps): codemirror is a transitive dep of @uiw/react-codemirror; phantom-dep heuristic false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:tinyduration	AI (phantom-deps): Declared in dependencies; phantom-dep heuristic false positive for this package.	ai	2026/04/29

Versions (showing 3 of 3)

Version	Deps	Published
10.3.0	52 / 38	2026-04-29
10.2.2	52 / 38	2026-04-27
10.2.0	52 / 37	2026-03-31

v10.3.0

2 findings

HIGH New obfuscated file: dist/setTitle-Cyf8DxtL.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.