@duckcodeailabs/dql-cli
Public CLI for parsing, formatting, testing, and certifying DQL blocks
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@duckcodeailabs/dql-core | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-mcp | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| phantom-deps | phantom-dep:isomorphic-git | AI (phantom-deps): Likely used via dynamic require or sub-module; stable for CLI package. | ai | |
| phantom-deps | phantom-dep:nodemailer | AI (phantom-deps): Likely used via dynamic require or sub-module; stable for CLI package. | ai | |
| phantom-deps | phantom-dep:node-cron | AI (phantom-deps): Likely used via dynamic require or sub-module; stable for CLI package. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Common config-parsing dep in CLI tools; stable false positive. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-governance | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-connectors | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-notebook | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-compiler | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-slack | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-agent | AI (phantom-deps): Same-org CLI sub-package; stable phantom-dep pattern for this monorepo. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-DWPIGGBJ.js | AI (source-diff): Vite-bundled React/CodeMirror frontend asset; minified, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-B5jI3I8Q.js | AI (source-diff): Standard Vite/React minified bundle for notebook UI; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-mlfOQ2me.js | AI (source-diff): Standard Vite/React minified bundle output; not malicious obfuscation. Stable pattern for this package's notebook UI assets. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-B06pd_fZ.js | AI (source-diff): Vite-bundled React+CodeMirror notebook UI; minified frontend output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-dZVjj9xj.js | AI (source-diff): Standard Vite-bundled frontend asset for notebook UI; minification is expected, not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Cscl1A2H.js | AI (source-diff): Vite/React production bundle with CodeMirror; standard minified frontend output for this CLI's notebook feature. | ai | |
| source-diff | obfuscated-file:assets/dql-notebook/assets/codemirror-DJYUkPr1.js | AI (source-diff): Standard Vite/Rollup minified CodeMirror bundle; not obfuscated malware. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 (localhost runtime endpoint); not an exfiltration target. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same open-browser.js spawn; benign browser-launch pattern. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): open-browser.js detaches a browser-open process; standard CLI pattern, not a reverse shell. | ai | |
| source-diff | obfuscated-file:assets/dql-notebook/assets/react-CRB3T2We.js | AI (source-diff): Minified React production bundle; license header confirms Facebook/MIT origin. | ai | |
| source-diff | obfuscated-file:assets/dql-notebook/assets/index-DUTeFz5j.js | AI (source-diff): Standard Vite/Rollup minified app bundle with React imports; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-CudxJ9DW.js | AI (source-diff): Standard Vite-bundled React app output; minification is expected for a notebook UI asset. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-BJ7MV8Gv.js | AI (source-diff): Standard Vite/React minified bundle; sample shows normal React/CodeMirror imports with license headers, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-BXbAhaFG.js | AI (source-diff): Standard Vite-bundled React frontend output with recognizable React JSX runtime and module preload polyfill. Expected artifact for a CLI that ships a notebook web UI. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-DeyBtNqN.js | AI (source-diff): File is a standard Vite/Rollup minified bundle (React JSX runtime + CodeMirror), not malicious obfuscation. Content-hash filename is a Vite fingerprinting pattern. Consistent with dql-notebook UI dependency. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Cp34wXvX.js | AI (source-diff): File is standard Vite-bundled React/CodeMirror frontend output for the dql-notebook UI component. Minification is expected build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Cxj__xjY.js | AI (source-diff): This is standard Vite/Rollup-bundled output for the dql-notebook UI embedded in the CLI. Minified React/CodeMirror bundle; no obfuscation or malicious payload. Expected artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-BJbWzCsK.js | AI (source-diff): Standard Vite-bundled React frontend for the dql-notebook UI; minified with content-addressed filename. No malicious patterns in sampled code. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-BI2YwGNM.js | AI (source-diff): Standard Vite-bundled frontend app entry point with React and CodeMirror imports; minified as expected for a shipped notebook UI asset. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-DhWFlKju.js | AI (source-diff): Standard Vite-bundled React app for the dql-notebook UI; sample shows recognizable React JSX runtime and modulepreload polyfill patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-DIVTsVNu.js | AI (source-diff): File is a standard Vite-bundled React+CodeMirror frontend bundle for the embedded dql-notebook UI. Long lines are expected minification artifacts, not obfuscation. Pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-aKKP3Syv.js | AI (source-diff): Standard Vite-bundled React frontend asset for the dql-notebook UI. Sample shows readable React/JSX runtime code with license headers. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/codemirror-BqWuFwtC.js | AI (source-diff): Minified CodeMirror editor library bundled by Vite as part of the notebook UI feature. Content is recognizable open-source code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-C7OsQzmY.js | AI (source-diff): Standard Vite-bundled React app output for the notebook UI. Content-hash filename and React/Vite internals confirm this is a legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Dp-Vko5m.js | AI (source-diff): Vite-bundled frontend app importing React and CodeMirror. Sample shows standard React JSX runtime code; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Bs6rpYwW.js | AI (source-diff): Standard Vite-minified app bundle (React + CodeMirror imports); recognizable open-source library code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Be6ngE5t.js | AI (source-diff): Standard Vite-minified React app bundle for the dql-notebook UI. React JSX runtime license header is visible in the sample; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-_N_gerXe.js | AI (source-diff): Main Vite bundle importing React and CodeMirror; content is consistent with a legitimate notebook UI build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-N2OWUyOi.js | AI (source-diff): Standard Vite-bundled React app entry point for the notebook UI. Sample shows React JSX runtime and modulepreload polyfill — no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-8LrBWmPy.js | AI (source-diff): File is a standard Vite/Rollup minified bundle containing React and CodeMirror code — recognizable build artifact for the dql-notebook feature, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Rushqlh8.js | AI (source-diff): Vite/Rollup production bundle of React+CodeMirror notebook UI; standard minified frontend asset with React license headers, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-jwFfZgBm.js | AI (source-diff): Vite-bundled React notebook UI; contains React license headers and standard modulepreload polyfill. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/codemirror-DJYUkPr1.js | AI (source-diff): Vite-bundled CodeMirror editor library; standard minified build output for the dql-notebook frontend component. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-BwgX4Mvs.js | AI (source-diff): Standard Vite-minified React app bundle with recognizable React/Facebook license headers. Minification artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-B_X7pyPz.js | AI (source-diff): Standard minified Vite/Rollup app bundle for dql-notebook UI. Sample shows React JSX runtime and modulepreload polyfill — no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-C7bfa1Fe.js | AI (source-diff): Standard Vite-bundled React app with react-jsx-runtime.production.min.js (Facebook copyright visible in sample). Expected build artifact for dql-notebook UI. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/codemirror-CCrEt63p.js | AI (source-diff): Standard Vite/Rollup production minification of the CodeMirror editor library. Sample confirms CodeMirror internals (grapheme-cluster tables, editor functions). Expected for a notebook UI. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-CtkxzMk1.js | AI (source-diff): Vite-bundled notebook app entry point importing React and CodeMirror. React JSX runtime license header visible in sample; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-Bf35WF3L.js | AI (source-diff): Standard Vite-bundled frontend app importing React and CodeMirror; minification is expected build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/codemirror-BeLuuzED.js | AI (source-diff): Standard minified CodeMirror library bundle produced by Vite build; not obfuscated malware. Stable for this package's notebook UI feature. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-BqahXnjO.js | AI (source-diff): Vite-bundled notebook UI entry point importing React and CodeMirror. No suspicious network calls or payload; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/codemirror-CHXCUnwU.js | AI (source-diff): Minified CodeMirror production bundle — standard Vite build output for the dql-notebook UI. Content is recognizable open-source code, not malicious obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase fully accounted for by three new frontend bundle files (CodeMirror + React + app entry) added with the dql-notebook dependency. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-EE_LNEYl.js | AI (source-diff): Vite-bundled app entry point importing CodeMirror and React — standard frontend build artifact for the dql-notebook UI component. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/react-CRB3T2We.js | AI (source-diff): Minified React production bundle with Facebook copyright header — standard Vite build output. Clearly legitimate open-source code. | ai | |
| provenance | missing-githead | AI (provenance): Publisher has a clean track record (46 approved, 0 rejected). Missing gitHead likely reflects a pipeline change, not a supply chain compromise. No other corroborating risk signals present. | ai | |
| source-diff | obfuscated-file:dist/assets/dql-notebook/assets/index-CTmiMNUc.js | AI (source-diff): File is a standard Vite/Rollup minified bundle for an embedded notebook web UI. Content shows recognizable React/CodeMirror imports with license headers — minification, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@duckcodeailabs/dql-project | AI (phantom-deps): Same-org scoped dependency in a monorepo context; declared but not directly imported is a common and benign pattern here. | ai | |
| provenance | no-provenance | AI (provenance): Established @duckcodeailabs org package with 56 versions and legitimate repo; lack of Sigstore provenance is a process gap, not a security threat for this package. | ai |
Versions (showing 51 of 61)
| Version | Deps | Published |
|---|---|---|
| 1.6.0 | 13 / 7 | |
| 1.5.3 | 13 / 7 | |
| 1.5.2 | 13 / 7 | |
| 1.5.0 | 13 / 7 | |
| 1.4.4 | 13 / 0 | |
| 1.4.3 | 13 / 0 | |
| 1.4.1 | 13 / 6 | |
| 1.4.0 | 13 / 6 | |
| 1.3.6 | 11 / 6 | |
| 1.3.4 | 11 / 6 | |
| 1.3.0 | 11 / 6 | |
| 1.2.2 | 11 / 6 | |
| 1.2.0 | 11 / 6 | |
| 1.0.4 | 7 / 4 | |
| 1.0.3 | 6 / 4 | |
| 1.0.2 | 6 / 4 | |
| 1.0.1 | 6 / 4 | |
| 0.11.0 | 6 / 4 | |
| 0.10.2 | 6 / 4 | |
| 0.10.1 | 6 / 4 | |
| 0.10.0 | 6 / 4 | |
| 0.9.0 | 6 / 4 | |
| 0.8.16 | 6 / 4 | |
| 0.8.15 | 6 / 4 | |
| 0.8.14 | 6 / 4 | |
| 0.8.13 | 6 / 4 | |
| 0.8.12 | 6 / 4 | |
| 0.8.11 | 6 / 4 | |
| 0.8.10 | 6 / 4 | |
| 0.8.9 | 6 / 4 | |
| 0.8.8 | 6 / 4 | |
| 0.8.7 | 6 / 4 | |
| 0.8.6 | 7 / 3 | |
| 0.8.5 | 6 / 3 | |
| 0.8.4 | 6 / 3 | |
| 0.8.3 | 6 / 3 | |
| 0.8.2 | 6 / 3 | |
| 0.8.1 | 6 / 3 | |
| 0.8.0 | 6 / 3 | |
| 0.7.1 | 6 / 3 | |
| 0.7.0 | 6 / 3 | |
| 0.6.0 | 6 / 3 | |
| 0.5.2 | 6 / 3 | |
| 0.5.1 | 6 / 3 | |
| 0.5.0 | 6 / 3 | |
| 0.4.0 | 6 / 3 | |
| 0.3.0 | 6 / 3 | |
| 0.2.4 | 6 / 3 | |
| 0.2.3 | 6 / 3 | |
| 0.2.2 | 6 / 3 | |
| 0.2.1 | 6 / 3 |
v1.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.16
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.15
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.14
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.13
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.12
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.11
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.1
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: duckcode.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.