@doenet/v06-to-v07
Convert DoenetML v0.6 syntax to v0.7 syntax
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:index-Cupe6uz0.js | AI (source-diff): Large bundled JS; network+exec pattern is from bundled deps, not malicious dropper logic. | ai | |
| source-diff | obfuscated-file:index-Cupe6uz0.js | AI (source-diff): Minified bundle with source map; readable function names, no actual obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:index-0tzGJx6k.js | AI (source-diff): Minified build bundle from verified CI/CD pipeline with SLSA provenance; not obfuscation. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-DwVzJx0O.js | AI (source-diff): Base64-encoded WASM binary embedded in JS worker bundle; standard pattern for this package, SLSA attested. | ai | |
| source-diff | net-exec-file:index-0tzGJx6k.js | AI (source-diff): Network+exec pattern in a bundled JS file is expected for this educational runtime package; SLSA provenance confirmed. | ai | |
| source-diff | obfuscated-file:index-zbifTRcx.js | AI (source-diff): Large bundled build artifact from Vite/Rollup; consistent with DoenetML's build pipeline across versions. | ai | |
| source-diff | net-exec-file:index-zbifTRcx.js | AI (source-diff): Network+exec pattern in a bundled JS file for a document renderer; not dropper behavior given SLSA provenance and package context. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-BM0N5IWb.js | AI (source-diff): Base64-encoded WASM binary loaded via standard decode pattern; expected for a WebAssembly-based worker in DoenetML. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-BESj2U8m.js | AI (source-diff): File is a wasm-bindgen generated WASM binary embedded as base64 (AGFzbQ = WebAssembly magic bytes). Standard pattern for Rust/WASM packages; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-WWz9okAR.js | AI (source-diff): File is a WASM binary encoded as base64 for runtime decoding — standard pattern for WASM-in-JS bundles. The base64 prefix decodes to WebAssembly magic bytes. Not obfuscation. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-vvF6Ak-p.js | AI (source-diff): This file is a wasm-bindgen build artifact: a WebAssembly binary encoded as base64 (AGFzbQEAAAA = WASM magic bytes). Long-line 'obfuscation' is inherent to this standard WASM bundling pattern for the DoenetML project. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-LCFlxjDA.js | AI (source-diff): File contains a base64-encoded WebAssembly binary (magic bytes AGFzbQ == \0asm), a standard bundler pattern for shipping WASM. Not obfuscation — legitimate build artifact from the DoenetML project. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-BK4_WeGO.js | AI (source-diff): File is a WebAssembly binary bundled as base64 (AGFzbQ... = WASM magic bytes). Standard pattern for shipping compiled WASM in JS packages; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-BDYeSWWa.js | AI (source-diff): Long lines are a base64-encoded WebAssembly binary (wasm-bindgen output pattern). The file starts with standard WASM magic bytes encoded in base64. This is a legitimate and common pattern for shipping WASM modules in JS packages. | ai | |
| source-diff | obfuscated-file:lib_doenetml_worker_bg-CK2aTDXN.js | AI (source-diff): File is a WebAssembly binary encoded as base64 (AGFzbQ = WASM magic bytes), a standard distribution pattern for wasm-pack/Rust WASM modules. Not obfuscated malicious code. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 0.7.20 | 0 / 0 | |
| 0.7.19 | 0 / 0 | |
| 0.7.18 | 0 / 0 | |
| 0.7.17 | 0 / 0 | |
| 0.7.16 | 0 / 0 | |
| 0.7.15 | 0 / 0 | |
| 0.7.14 | 0 / 0 | |
| 0.7.13 | 0 / 0 | |
| 0.7.12 | 0 / 0 | |
| 0.7.11 | 0 / 0 | |
| 0.7.10 | 0 / 0 | |
| 0.7.9 | 0 / 0 | |
| 0.7.8 | 0 / 0 | |
| 0.7.7 | 0 / 0 | |
| 0.7.6 | 0 / 0 | |
| 0.7.5 | 0 / 0 | |
| 0.7.4 | 0 / 0 | |
| 0.7.3 | 0 / 0 | |
| 0.7.2 | 0 / 0 | |
| 0.7.1 | 0 / 0 | |
| 0.7.0 | 0 / 0 |
v0.7.20
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.19
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.18
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.17
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.14
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.