@devmoods/ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/cjs/Wizard-DkzL7qlx.js | AI (source-diff): Standard minified build artifact; readable form/wizard logic, no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/cjs/Toast-BUksMbLk.js | AI (source-diff): Standard minified build artifact; readable UI component logic, no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/cjs/Toast-Cv1FDOEW.js | AI (source-diff): Standard Rollup minified CJS bundle; UI component code with known deps. | ai | |
| source-diff | obfuscated-file:dist/cjs/Wizard-OX8ikH8p.js | AI (source-diff): Standard Rollup minified CJS bundle; wizard/schema logic with known deps. | ai | |
| source-diff | obfuscated-file:dist/cjs/forms-widgets.js | AI (source-diff): Standard rollup minified bundle for forms-widgets export; readable React logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/cjs/Toast-9O1akle9.js | AI (source-diff): Standard rollup chunk; readable UI component code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/cjs/Wizard-BxqnhNfn.js | AI (source-diff): Standard rollup chunk; readable form/schema logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/cjs/forms/widgets.js | AI (source-diff): Standard rollup-minified CJS bundle; samples show form widget components only. | ai | |
| source-diff | obfuscated-file:dist/cjs/Wizard-BaxyOm8m.js | AI (source-diff): Standard rollup-minified CJS bundle; samples show wizard/schema validation logic only. | ai | |
| source-diff | obfuscated-file:dist/es/forms/Form.mjs | AI (source-diff): Standard rollup-minified ESM bundle; samples show React form reducer logic only. | ai | |
| source-diff | obfuscated-file:dist/es/forms/jsonschema/validator.mjs | AI (source-diff): Standard rollup-minified ESM bundle; samples show JSON schema validation logic only. | ai | |
| source-diff | obfuscated-file:dist/cjs/forms.js | AI (source-diff): Standard rollup-minified CJS bundle; samples show legitimate React form logic, no malicious code. | ai | |
| source-diff | obfuscated-file:dist/cjs/Toast-ai3Mj6na.js | AI (source-diff): Standard rollup-minified CJS bundle; samples show UI component logic only. | ai | |
| phantom-deps | phantom-dep:use-abortable-promise | AI (phantom-deps): May be re-exported or used in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@devmoods/oxc | AI (phantom-deps): Same-org package; likely used via build tooling rather than direct import. | ai | |
| phantom-deps | phantom-dep:react-is | AI (phantom-deps): Type/framework package; normal for React component libraries. | ai | |
| phantom-deps | phantom-dep:@types/prismjs | AI (phantom-deps): Type package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type package loaded by convention; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@devmoods/fetch | AI (phantom-deps): Same-org scoped package; may be used indirectly or re-exported. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): Type package loaded by convention; stable false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped UI library; Levenshtein match to uuid is a false positive with no impersonation intent. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped UI library; Levenshtein match to qs is a false positive. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped UI library; Levenshtein match to pg is a false positive. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped UI library; Levenshtein match to yup is a false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped UI library; Levenshtein match to joi is a false positive. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 2.17.0 | 12 / 34 | |
| 2.16.0 | 11 / 35 | |
| 2.15.0 | 10 / 35 | |
| 2.14.0 | 9 / 36 | |
| 2.13.0 | 9 / 36 | |
| 2.12.2 | 9 / 36 | |
| 2.12.1 | 9 / 36 | |
| 2.12.0 | 9 / 36 | |
| 2.11.0 | 8 / 32 | |
| 2.10.2 | 8 / 30 | |
| 2.10.1 | 8 / 30 | |
| 2.10.0 | 8 / 30 |
v2.17.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.13.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.2
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.1
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.