@diplodoc/cli
Make documentation using yfm-docs in Markdown and HTML formats
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:assets/app-06661d5c25bbe373.js | AI (source-diff): Network calls and dynamic code in webpack bundle are normal React app patterns, not dropper behavior. | ai | |
| source-diff | net-exec-file:assets/vendor-d624c3b1cfc0a16a.js | AI (source-diff): Vendor bundle (cookie parsing, etc.) is normal webpack output for this documentation tool. | ai | |
| source-diff | obfuscated-file:assets/search-d6011929331ae16f.js | AI (source-diff): Standard webpack-minified search bundle for diplodoc viewer. | ai | |
| source-diff | obfuscated-file:assets/app-06661d5c25bbe373.js | AI (source-diff): Standard webpack-minified frontend bundle for diplodoc documentation viewer; not malware. | ai | |
| source-diff | net-exec-file:assets/app-f86067fc0d7ffb1e.js | AI (source-diff): Network calls and dynamic code in webpack bundle are React/router patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:assets/app-f86067fc0d7ffb1e.js | AI (source-diff): Standard webpack-minified React frontend bundle for docs viewer; consistent with diplodoc-platform/cli's documented build output. | ai | |
| source-diff | obfuscated-file:assets/search-6389fee2cb71e580.js | AI (source-diff): Webpack-minified search UI bundle; same pattern as other frontend assets in this docs CLI. | ai | |
| source-diff | net-exec-file:assets/vendor-a301303071ab49a2.js | AI (source-diff): Vendor bundle (cookie parsing, webpack runtime); standard build artifact for this docs generator. | ai | |
| phantom-deps | phantom-dep:@inquirer/prompts | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:markdown-it-sup | AI (phantom-deps): Stable false positive for this docs toolchain. | ai | |
| source-diff | net-exec-file:assets/vendor-19f237a87f1f5fe7.js | AI (source-diff): Webpack-bundled frontend asset for a docs tool; sample shows standard cookie/module code, not malware. | ai | |
| phantom-deps | phantom-dep:execa | AI (phantom-deps): Stable false positive for this docs toolchain package. | ai | |
| phantom-deps | phantom-dep:katex | AI (phantom-deps): Stable false positive; bundled into frontend assets. | ai | |
| phantom-deps | phantom-dep:threads | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:chroma-js | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:highlight.js | AI (phantom-deps): Stable false positive; bundled into frontend assets. | ai | |
| phantom-deps | phantom-dep:markdown-it-meta | AI (phantom-deps): Stable false positive for this docs toolchain. | ai | |
| source-diff | net-exec-file:assets/vendor-b240c30f2bda07da.js | AI (source-diff): Webpack-bundled frontend assets for a docs CLI; network+eval pattern is standard bundler output, not malware. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @diplodoc/cli is a documentation CLI; levenshtein match to 'joi' is a false positive with no brand overlap. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is inside requireExtension(), a documented plugin/extension loader — stable pattern for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 5.39.2 | 27 / 45 | |
| 5.39.1 | 27 / 45 | |
| 5.39.0 | 27 / 45 | |
| 5.38.1 | 27 / 45 | |
| 5.37.1 | 27 / 45 | |
| 5.36.6 | 27 / 45 | |
| 5.36.4 | 27 / 45 | |
| 5.36.0 | 27 / 45 |
v5.39.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.38.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.37.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.