@diplodoc/client
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/client/vendor-a301303071ab49a2.js | AI (source-diff): Vendor bundle with cookie/HTTP parsing libs; normal frontend dependency bundling, no malicious indicators. | ai | |
| source-diff | obfuscated-file:build/client/search-6389fee2cb71e580.js | AI (source-diff): Standard webpack-minified search bundle; same build artifact pattern as other client files. | ai | |
| source-diff | net-exec-file:build/client/app-f86067fc0d7ffb1e.js | AI (source-diff): Network calls and dynamic module loading are normal in a React SPA bundle; no malicious payload evident. | ai | |
| source-diff | obfuscated-file:build/client/app-f86067fc0d7ffb1e.js | AI (source-diff): Standard webpack/rspack minified React bundle; consistent with this package's documented build process. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package with empty description field; not indicative of malice. | ai | |
| source-diff | obfuscated-file:build/client/app-06661d5c25bbe373.js | AI (source-diff): Standard webpack-minified React app bundle; consistent with this package's documented build output. | ai | |
| source-diff | net-exec-file:build/client/app-06661d5c25bbe373.js | AI (source-diff): Network calls and dynamic requires in webpack bundle are normal for a React frontend client package. | ai | |
| source-diff | obfuscated-file:build/client/search-d6011929331ae16f.js | AI (source-diff): Standard webpack-minified search bundle; consistent with this package's documented build output. | ai | |
| source-diff | net-exec-file:build/client/vendor-d624c3b1cfc0a16a.js | AI (source-diff): Vendor bundle with cookie/WASM parsing; normal for a bundled frontend package. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA attestation; legitimate pipeline change for diplodoc-platform org. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy explained by CI/CD pipeline migration; package has 140 versions and active ecosystem use. | ai | |
| source-diff | net-exec-file:build/client/app-2f5a2932377400c3.js | AI (source-diff): Network calls and dynamic requires are standard in bundled React/webpack frontend apps. | ai | |
| source-diff | net-exec-file:build/client/vendor-02b4192ee805dad6.js | AI (source-diff): Vendor bundle with cookie/HTTP parsing code; standard bundled dependency output. | ai | |
| source-diff | obfuscated-file:build/client/app-2f5a2932377400c3.js | AI (source-diff): Minified webpack bundle; expected output for this frontend client package. | ai | |
| source-diff | encoded-string-file:build/server/vendor.js | AI (source-diff): Base64 string is the llhttp WASM binary, a well-known HTTP parser used by Node.js ecosystem. | ai | |
| source-diff | obfuscated-file:build/client/search-f5b7fe09164e8fb4.js | AI (source-diff): Minified webpack bundle; expected output for this frontend client package. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 5.7.1 | 0 / 34 | |
| 5.7.0 | 0 / 34 | |
| 5.6.1 | 0 / 34 | |
| 5.6.0 | 0 / 34 | |
| 5.5.4 | 0 / 34 | |
| 5.2.17 | 0 / 34 | |
| 5.2.15 | 0 / 34 | |
| 5.2.14 | 0 / 34 | |
| 5.2.13 | 0 / 34 |
v5.7.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.7.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.6.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.6.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.17
3 findingsThis version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.