@djb25/digit-ui-module-ws
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index.modern.js | AI (source-diff): Bundled React UI module; long lines are normal minified output, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects addition of modern ES module build + source maps; expected for this package type. | ai | |
| source-diff | net-exec-file:dist/index.modern.js | AI (source-diff): Network calls are React data-fetching hooks; dynamic execution is standard React rendering. No dropper behavior present. | ai | |
| dependencies | unvetted-dep:xlsx | AI (dependencies): xlsx is a well-known spreadsheet library; version 0.17.5 has no critical blocking advisory for this use case. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Consistent across all versions of this package; cosmetic issue only. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established scoped package with 24 versions and real download traffic; metadata gaps are cosmetic. | ai | |
| phantom-deps | phantom-dep:microbundle-crl | AI (phantom-deps): microbundle-crl is a build tool referenced in scripts only; not imported in source is expected. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): react-dom is a standard peer/build dep referenced in config; not directly imported in source is expected for UI modules. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.0.25 | 9 / 0 | |
| 1.0.24 | 9 / 0 | |
| 1.0.23 | 9 / 0 | |
| 1.0.20 | 9 / 0 | |
| 1.0.19 | 9 / 0 | |
| 1.0.17 | 9 / 0 | |
| 1.0.16 | 9 / 0 | |
| 1.0.14 | 9 / 0 | |
| 1.0.11 | 9 / 0 | |
| 1.0.10 | 9 / 0 | |
| 1.0.4 | 9 / 0 | |
| 1.0.3 | 9 / 0 | |
| 1.0.1 | 9 / 0 | |
| 1.0.0 | 9 / 0 |
v1.0.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: djb25.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: djb25.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.