@dreamkit/site
DreamKit Webite.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CTCxcr7B.js | AI (source-diff): Minified Astro/Vite build output for client-zip dependency; standard zip-handling code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.Cz35-Ora.js | AI (source-diff): Minified bundle of @stackblitz/sdk dependency; content matches SDK API surface, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.BCPSZRX5.js | AI (source-diff): Compiled Astro component script (client-zip usage); standard minified build artifact for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.CHMqz7jG.js | AI (source-diff): Minified bundle of @stackblitz/sdk — declared dependency, standard Vite/Astro build output. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.BPHzphwu.js | AI (source-diff): Minified bundle of @stackblitz/sdk dependency; standard Astro/Vite build output for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.nLjwCsRD.js | AI (source-diff): Minified Astro component script (client-zip usage); standard Vite build artifact for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.BFPX3UvZ.js | AI (source-diff): Minified Astro component script (client-zip utility); standard Vite/Astro build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.H0rrZv67.js | AI (source-diff): Minified bundle of @stackblitz/sdk, a declared dependency; standard Astro build output. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.DxmRtUWt.js | AI (source-diff): Minified build of @stackblitz/sdk, a declared dependency; content matches SDK source. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.DAVkTskB.js | AI (source-diff): Minified Astro/Vite build artifact bundling client-zip; no malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.uiA-QP9V.js | AI (source-diff): Minified bundle of declared @stackblitz/sdk dependency; expected Astro/Vite build output. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.BFJidG32.js | AI (source-diff): Compiled Astro component script; standard Vite minified output for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.DK4trp4Y.js | AI (source-diff): Minified Astro component script (client-zip utility); expected Vite build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.DEYMlOGA.js | AI (source-diff): Minified bundle of @stackblitz/sdk dependency; expected Astro/Vite build output. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CIYD39dI.js | AI (source-diff): Minified Astro/Vite build output bundling client-zip (declared dep); no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.DAHcz5So.js | AI (source-diff): Minified build artifact of @stackblitz/sdk, a declared dependency; content matches SDK API surface. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CJZhPJUX.js | AI (source-diff): Minified Astro component script bundle; expected Vite build output for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.DGQCH-08.js | AI (source-diff): Minified @stackblitz/sdk bundle; expected Astro/Vite build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.Ftzjtd5T.js | AI (source-diff): Minified Astro component script in dist output; standard Vite/Astro build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.BP52EUtQ.js | AI (source-diff): Minified @stackblitz/sdk bundle in Astro dist output; content-hash filename is standard Vite build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CsrBGGvV.js | AI (source-diff): Minified Astro component script in dist output; standard Vite/Astro build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.CR9PErYr.js | AI (source-diff): Minified @stackblitz/sdk bundle in Astro dist output; expected build artifact for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.C54jXC7s.js | AI (source-diff): Minified Astro component script (SolidJS + client-zip); standard Vite build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.BZg3Fbna.js | AI (source-diff): Minified @stackblitz/sdk bundle; expected Astro/Vite build output for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CXOB9Qto.js | AI (source-diff): Minified Astro component build artifact; consistent with Astro/Vite build pipeline for this package. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.jlXOaUKY.js | AI (source-diff): Minified @stackblitz/sdk bundle; matches declared dependency and content is clearly the StackBlitz SDK. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.BnsJLXWO.js | AI (source-diff): Minified client-zip utility in Astro dist output; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.ogtKFtVv.js | AI (source-diff): Minified @stackblitz/sdk bundle in Astro dist output; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CDYcQPs3.js | AI (source-diff): Minified Astro component script (client-zip utilities); declared dependency, normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.CvswbY-6.js | AI (source-diff): Minified @stackblitz/sdk bundle; declared dependency, normal Astro/Vite build output. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.CtkRkp4d.js | AI (source-diff): Minified @stackblitz/sdk bundle; standard Astro/Vite build artifact matching declared dependency. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.BnWz6Pf-.js | AI (source-diff): Minified Astro component script; standard Vite build output, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.t9HN5MNd.js | AI (source-diff): Minified Astro component script bundling client-zip; expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.XhvUZmj1.js | AI (source-diff): Minified bundle of @stackblitz/sdk dependency; expected Astro/Vite build output for this package. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CavcUrsg.js | AI (source-diff): Astro/Vite compiled component script; standard minified build output for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.DrCMuaDL.js | AI (source-diff): Minified bundle of @stackblitz/sdk dependency; expected build artifact for this site package. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.N5eJ8TTJ.js | AI (source-diff): Minified @stackblitz/sdk bundle; matches declared dependency and StackBlitz embed functionality. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.CW5b1RTf.js | AI (source-diff): Minified client-zip bundle from Astro build; matches declared client-zip dependency. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.UlAapN19.js | AI (source-diff): Minified StackBlitz SDK matching declared @stackblitz/sdk dependency; content is benign. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.bP8mfWwZ.js | AI (source-diff): Minified client-zip library code matching declared dependency; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/_astro/client.yL8JVs1M.js | AI (source-diff): Minified SolidJS runtime bundle; standard Astro/Vite build output matching declared solid-js dependency. | ai | |
| source-diff | obfuscated-file:dist/_astro/stackblitz.pNhcUPxS.js | AI (source-diff): Minified StackBlitz SDK; content matches declared @stackblitz/sdk dependency, standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/_astro/Example.astro_astro_type_script_index_0_lang.ByJ5KkyO.js | AI (source-diff): Minified client-zip library; content matches declared client-zip dependency, standard build artifact. | ai | |
| phantom-deps | phantom-dep:@stackblitz/sdk | AI (phantom-deps): Config-referenced dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:better-sqlite3 | AI (phantom-deps): Config-referenced dependency; phantom-dep heuristic false positive for this site package. | ai | |
| phantom-deps | phantom-dep:client-zip | AI (phantom-deps): Config-referenced dependency in an Astro site; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@astrojs/check | AI (phantom-deps): Used via CLI in build script, not directly imported — expected for Astro projects. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript referenced in config/build tooling, not directly imported — normal pattern. | ai | |
| phantom-deps | phantom-dep:astro | AI (phantom-deps): Astro is referenced in config files as expected for an Astro site package. | ai | |
| typosquat | typosquat.levenshtein:vite | AI (typosquat): @dreamkit/site is a scoped monorepo package, not a typosquat of vite; name similarity is coincidental. | ai | |
| phantom-deps | phantom-dep:@astrojs/starlight | AI (phantom-deps): Config-referenced Astro integration; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@astrojs/solid-js | AI (phantom-deps): Config-referenced Astro integration; phantom-dep heuristic false positive. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 0.0.62 | 10 / 1 | |
| 0.0.61 | 10 / 1 | |
| 0.0.60 | 10 / 1 | |
| 0.0.56 | 10 / 1 | |
| 0.0.55 | 10 / 1 | |
| 0.0.54 | 10 / 1 | |
| 0.0.50 | 10 / 1 | |
| 0.0.49 | 10 / 1 | |
| 0.0.46 | 10 / 1 | |
| 0.0.44 | 10 / 1 | |
| 0.0.41 | 10 / 1 | |
| 0.0.39 | 10 / 1 | |
| 0.0.38 | 10 / 1 | |
| 0.0.34 | 10 / 1 | |
| 0.0.33 | 10 / 1 | |
| 0.0.31 | 10 / 1 | |
| 0.0.29 | 10 / 1 | |
| 0.0.28 | 10 / 1 | |
| 0.0.27 | 10 / 1 | |
| 0.0.26 | 10 / 1 | |
| 0.0.24 | 10 / 1 | |
| 0.0.23 | 10 / 1 | |
| 0.0.22 | 10 / 1 | |
| 0.0.21 | 10 / 1 |
v0.0.62
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.61
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.60
2 findingsPackage name '@dreamkit/site' is 1 edit(s) away from popular package 'vite'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.56
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.55
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.54
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.50
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.49
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.46
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.44
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.41
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.39
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.34
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.33
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.31
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.29
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.28
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.27
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.26
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.24
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.23
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.22
2 findingsPackage name '@dreamkit/site' is 1 edit(s) away from popular package 'vite'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.21
2 findingsPackage name '@dreamkit/site' is 1 edit(s) away from popular package 'vite'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.