@doenet/doenetml
Semantic markup for building interactive web activities
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:choiceInput-BWOof7hN.js | AI (source-diff): Vite/Rollup minified bundle output for a React UI component; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:doenetml-C8nlk6ys.js | AI (source-diff): Main Vite bundle; minified React+library code, not obfuscated malware. | ai | |
| source-diff | net-exec-file:doenetml-C8nlk6ys.js | AI (source-diff): Network calls and dynamic code in a React/math rendering bundle are expected; no exfiltration pattern. | ai | |
| source-diff | obfuscated-file:index.es-qZRrNQtQ.js | AI (source-diff): Minified Vite bundle; standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:JSXGraphRenderer-B_dMP6Ox.js | AI (source-diff): JSXGraph renderer bundle; minified library code, not obfuscated malware. | ai | |
| source-diff | net-exec-file:JSXGraphRenderer-B_dMP6Ox.js | AI (source-diff): JSXGraph is a math graphing library; network+eval patterns are part of its rendering engine, not dropper behavior. | ai | |
| source-diff | obfuscated-file:doenetml-CaR7hAsx.js | AI (source-diff): Standard Vite bundle output; minified React/JSX runtime, not obfuscated malware. | ai | |
| source-diff | net-exec-file:JSXGraphRenderer-CBqNx0Le.js | AI (source-diff): JSXGraph math renderer; network+eval patterns are part of the graphing library, not malware. | ai | |
| source-diff | net-exec-file:doenetml-CaR7hAsx.js | AI (source-diff): Network calls in a React UI bundle are expected; no dropper pattern present. | ai | |
| source-diff | obfuscated-file:JSXGraphRenderer-CBqNx0Le.js | AI (source-diff): JSXGraph renderer bundle; minified library code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:index.es-D7WFhVLQ.js | AI (source-diff): Standard Vite bundle output with content-hash filename. | ai | |
| source-diff | obfuscated-file:choiceInput-BWGRwnkz.js | AI (source-diff): Standard Vite bundle output with content-hash filename; not intentionally obfuscated. | ai | |
| source-diff | net-exec-file:doenetml-CL2AO1GX.js | AI (source-diff): Network calls are React/DOM APIs; dynamic execution is standard JS module patterns, not dropper behavior. | ai | |
| source-diff | net-exec-file:JSXGraphRenderer-CvjJmoGR.js | AI (source-diff): JSXGraph renderer; network/exec pattern is standard canvas/math library behavior. | ai | |
| source-diff | net-exec-file:doenetml-worker/index.esm.js | AI (source-diff): Comlink worker pattern using MessageChannel; legitimate web worker IPC, not malware. | ai | |
| source-diff | obfuscated-file:JSXGraphRenderer-CvjJmoGR.js | AI (source-diff): JSXGraph library bundled via Vite; minified but not obfuscated malware. | ai | |
| source-diff | obfuscated-file:index.es-Bj-KJ6mU.js | AI (source-diff): Standard Vite/Rollup minified bundle output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:doenetml-CL2AO1GX.js | AI (source-diff): Standard Vite/Rollup minified bundle output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:choiceInput-C6KhnY9I.js | AI (source-diff): Standard Vite/Rollup minified bundle output; not obfuscated malware. | ai | |
| source-diff | net-exec-file:JSXGraphRenderer-DPK2Zrod.js | AI (source-diff): JSXGraph renderer legitimately uses network and dynamic code for interactive math graphs; not malware. | ai | |
| source-diff | obfuscated-file:choiceInput-CNEXUnED.js | AI (source-diff): Vite/Rollup minified bundle output; content-hash filename is standard build artifact for this package. | ai | |
| source-diff | net-exec-file:doenetml-kFTOgchQ.js | AI (source-diff): Network calls and dynamic code in a React/MathJax UI bundle are expected; no dropper pattern visible in samples. | ai | |
| source-diff | obfuscated-file:JSXGraphRenderer-DPK2Zrod.js | AI (source-diff): Vite/Rollup minified bundle output; content-hash filename is standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:index.es-pyZGfcPk.js | AI (source-diff): Vite/Rollup minified bundle output; content-hash filename is standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:doenetml-kFTOgchQ.js | AI (source-diff): Vite/Rollup minified bundle output; content-hash filename is standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:JSXGraphRenderer-DO77WbpG.js | AI (source-diff): JSXGraph renderer bundle; minification is expected for this math-education library. | ai | |
| source-diff | obfuscated-file:choiceInput-CXKWjd-w.js | AI (source-diff): Vite-bundled React component; minification is expected for this UI library's build output. | ai | |
| source-diff | net-exec-file:JSXGraphRenderer-DO77WbpG.js | AI (source-diff): JSXGraph uses dynamic code patterns for geometry rendering; not a dropper/loader. | ai | |
| source-diff | obfuscated-file:doenetml-BPsLSRHD.js | AI (source-diff): Main Vite bundle; minified React/MathJax code is expected for this package. | ai | |
| source-diff | obfuscated-file:index.es-XE1CVwqn.js | AI (source-diff): Vite-bundled ES module; minification is expected for this UI library. | ai | |
| source-diff | net-exec-file:doenetml-BPsLSRHD.js | AI (source-diff): Network calls are MathJax/React rendering; dynamic code execution is eval-based math typesetting, not malware. | ai | |
| source-diff | obfuscated-file:choiceInput-CB0sTPUg.js | AI (source-diff): Hash-suffixed Vite bundle chunk containing React component code with Babel helpers. Standard minified build output for this educational UI library. | ai | |
| source-diff | obfuscated-file:doenetml-BrZbjLNB.js | AI (source-diff): Hash-suffixed Vite/Rollup bundle artifact. Long lines are minified output of React/MathJax/JSXGraph dependencies, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:JSXGraphRenderer-B3Gy-2_L.js | AI (source-diff): Hash-suffixed Vite bundle chunk containing JSXGraph library code. Minified output of a well-known geometry library, not obfuscation. | ai | |
| source-diff | obfuscated-file:index.es-Br7-Oilx.js | AI (source-diff): Hash-suffixed Vite bundle chunk with standard React/PropTypes patterns. Minified build output consistent with this package's build toolchain. | ai | |
| source-diff | net-exec-file:doenetml-BrZbjLNB.js | AI (source-diff): False positive: MathJax and React bundled together trigger net+exec heuristic. No actual dropper/loader behavior; code is standard educational platform dependencies. | ai | |
| source-diff | net-exec-file:JSXGraphRenderer-B3Gy-2_L.js | AI (source-diff): False positive: JSXGraph library uses dynamic property patterns that trigger this rule. No actual network-based code execution; this is a geometry rendering library. | ai | |
| source-diff | net-exec-file:graph-DsTFRi67.js | AI (source-diff): False positive. JSXGraph library legitimately uses dynamic patterns for math rendering. No dropper/loader behavior visible in samples. | ai | |
| source-diff | net-exec-file:doenetml-C84JdEoo.js | AI (source-diff): False positive. Network usage is likely MathJax font/resource loading; dynamic execution patterns are from math expression parsers. No malicious payload visible in samples. | ai | |
| source-diff | obfuscated-file:index.es-glh50Lm5.js | AI (source-diff): Vite/Rollup build artifact with hash-suffixed filename. Code samples show standard React/PropTypes patterns — expected bundler output. | ai | |
| source-diff | obfuscated-file:graph-DsTFRi67.js | AI (source-diff): Vite/Rollup build artifact containing JSXGraph library code — a well-known open-source math graphing library. Expected output for a math education tool. | ai | |
| source-diff | obfuscated-file:choiceInput-ClEInUZr.js | AI (source-diff): Vite/Rollup build artifact. Code samples show React component code with Babel helpers — standard bundler output for this educational UI library. | ai | |
| source-diff | obfuscated-file:doenetml-C84JdEoo.js | AI (source-diff): Vite/Rollup build artifact with hash-suffixed filename. Code samples show standard React/JSX boilerplate. This is expected bundler output for a math/interactive content library. | ai | |
| source-diff | obfuscated-file:index.es-pM9TTFwk.js | AI (source-diff): Vite code-split chunk with standard Babel transpilation helpers. Minified build artifact, not obfuscation. Stable for this package. | ai | |
| source-diff | net-exec-file:graph-nKjcVV0x.js | AI (source-diff): JSXGraph uses dynamic code patterns for math rendering. Network calls are for content loading. Not malware. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:doenetml-jBZLIepG.js | AI (source-diff): Network + dynamic execution in a math/interactive-content renderer (MathJax, React) is expected. Not dropper/loader behavior. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:graph-nKjcVV0x.js | AI (source-diff): Vite chunk bundling JSXGraph (a well-known math graphing library). Minified build artifact, not obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:choiceInput-D-BRbHaR.js | AI (source-diff): Vite code-split chunk for a UI component. Minified build artifact, not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:doenetml-jBZLIepG.js | AI (source-diff): This is a Vite-bundled chunk of the DoenetML framework (React, MathJax, etc.). Long lines are minified build output, not obfuscation. Pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:choiceInput-CNWkwYoK.js | AI (source-diff): Minified Vite build artifact for a React UI component. Long lines are from bundling, not obfuscation. Stable pattern for this package's build output. | ai | |
| source-diff | net-exec-file:graph-BXPUo6AC.js | AI (source-diff): JSXGraph integration in a browser framework legitimately combines network and dynamic code. No malware indicators in samples. | ai | |
| source-diff | net-exec-file:doenetml-BEDslwTv.js | AI (source-diff): Browser-side educational framework legitimately uses network (MathJax CDN, etc.) and dynamic execution (math rendering). No malware indicators in samples. | ai | |
| source-diff | obfuscated-file:index.es-kkvLGxeI.js | AI (source-diff): Minified Vite build artifact with standard React/PropTypes patterns. Not obfuscation. | ai | |
| source-diff | obfuscated-file:graph-BXPUo6AC.js | AI (source-diff): Minified Vite bundle containing JSXGraph (jxg) for interactive math graphs. Standard build artifact for this educational framework. | ai | |
| source-diff | obfuscated-file:doenetml-BEDslwTv.js | AI (source-diff): Minified Vite bundle containing React, MathJax, and other legitimate deps. Content-hash naming confirms build artifact. Not obfuscation. | ai | |
| source-diff | obfuscated-file:doenetml-cB_aZGJ5.js | AI (source-diff): Standard Vite/Rollup bundle output for the main DoenetML React library. Minified but not obfuscated; content is recognizable React/JSX runtime code. | ai | |
| source-diff | net-exec-file:graph-DQks9OE0.js | AI (source-diff): JSXGraph geometry library with React rendering. Dynamic code execution is React's createElement; network calls are expected for a graphing/math library. Not malware. | ai | |
| source-diff | net-exec-file:doenetml-cB_aZGJ5.js | AI (source-diff): React rendering engine (createElement, dynamic rendering) combined with MathJax/network loading is expected for an interactive math education library. Not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:choiceInput-sdr8Da04.js | AI (source-diff): Standard Vite/Rollup bundle output for a React UI component. Content-hash filename is characteristic of Vite chunking. No actual obfuscation. | ai | |
| source-diff | obfuscated-file:index.es-DKppzeUo.js | AI (source-diff): Standard Vite/Rollup bundle output. Content is recognizable React utility code (_defineProperty, _objectSpread2, etc.). | ai | |
| source-diff | obfuscated-file:graph-DQks9OE0.js | AI (source-diff): Contains JSXGraph library (open-source geometry library) bundled via Vite. Minified but not obfuscated; code structure is clearly readable. | ai | |
| source-diff | obfuscated-file:doenetml-Ct7JoBbr.js | AI (source-diff): Main bundle chunk from Vite/Rollup build. Samples show React runtime, JSXGraph, MathJax — all legitimate open-source libraries. | ai | |
| source-diff | obfuscated-file:choiceInput-eYE69big.js | AI (source-diff): Minified Vite/Rollup build output for a React UI component. Code samples show standard React/Babel transpiled code, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 89 new files reflect a switch to Vite/Rollup code-splitting. Expected for a large educational math rendering library refactor. | ai | |
| source-diff | obfuscated-file:index.es-D1BgRYSe.js | AI (source-diff): Standard Babel-transpiled React component with PropTypes. Minified build output, not obfuscation. | ai | |
| source-diff | net-exec-file:graph-DlEceXM8.js | AI (source-diff): JSXGraph uses eval-like patterns for performance; network calls are for math rendering. Legitimate library behavior. | ai | |
| source-diff | obfuscated-file:graph-DlEceXM8.js | AI (source-diff): JSXGraph (math graphing library) bundled output. Long lines are minified library code, not obfuscation. | ai | |
| source-diff | net-exec-file:doenetml-Ct7JoBbr.js | AI (source-diff): Network calls are MathJax/fetch for math rendering; dynamic code patterns are from bundled JSXGraph. No malware indicators in samples. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 0.7.20 | 0 / 0 | |
| 0.7.19 | 0 / 0 | |
| 0.7.18 | 0 / 0 | |
| 0.7.17 | 0 / 0 | |
| 0.7.16 | 0 / 0 | |
| 0.7.15 | 0 / 0 | |
| 0.7.14 | 0 / 0 | |
| 0.7.13 | 0 / 0 | |
| 0.7.12 | 0 / 0 | |
| 0.7.11 | 0 / 0 | |
| 0.7.10 | 0 / 0 | |
| 0.7.9 | 0 / 0 | |
| 0.7.8 | 0 / 0 | |
| 0.7.7 | 0 / 0 | |
| 0.7.6 | 0 / 0 | |
| 0.7.5 | 0 / 0 | |
| 0.7.4 | 0 / 0 | |
| 0.7.3 | 0 / 0 | |
| 0.7.2 | 0 / 0 | |
| 0.7.1 | 0 / 0 | |
| 0.7.0 | 0 / 0 |
v0.7.20
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.19
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.18
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.17
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.9
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.