← Home

@e-llm-studio/citation

npm Repository Homepage
4
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mkathyayaniyash27vermarishabh-sonalsaurabhgathadepriyanshu-g13bhaskar.dekarajadeveshpatelneeraj82sabithpockersanket-tehcoram_vilashsaptyadeephitesh_rathi_02soubhik-techolutionshivendra12131mujtaba12131yaksh-patelabhay-techo

Keywords

e-llm-studio-lib

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/features/TextualGuidelines/TextualGuideLinesComponent.js AI (source-diff): Minified React component bundle; code is readable UI logic with no exfiltration or malicious patterns. ai
source-diff obfuscated-file:dist/cjs/features/TextualGuidelines/TextualGuidelines.module.css.js AI (source-diff): Standard minified CSS-module JS bundle; content is CSS class name mappings, not malicious obfuscation. ai
source-diff obfuscated-file:dist/features/TextualGuidelines/TextualGuidelines.module.css.js AI (source-diff): Standard minified CSS-module JS bundle; content is CSS class name mappings, not malicious obfuscation. ai
source-diff obfuscated-file:dist/cjs/features/TextualGuidelines/TextualGuideLinesComponent.js AI (source-diff): Minified React component bundle; code is readable UI logic with no exfiltration or malicious patterns. ai
provenance no-provenance AI (provenance): Internal org package; no provenance is consistent across all 199 versions. ai
bogus-package bogus-package AI (bogus-package): Established scoped library with 186 versions; off-topic README content is incidental, not spam. ai
npm-metadata no-description AI (npm-metadata): Intentionally left empty; package purpose is clear from name and exports. ai
phantom-deps phantom-dep:react-syntax-highlighter AI (phantom-deps): Listed as a runtime dependency; phantom-dep heuristic is a false positive here. ai

Versions (showing 4 of 4)

Version Deps Published
0.0.196 6 / 44
0.0.182 14 / 44
0.0.163 13 / 44
0.0.131 3 / 53

v0.0.196

5 findings
HIGH New obfuscated file: dist/cjs/features/TextualGuidelines/TextualGuidelines.module.css.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/features/TextualGuidelines/TextualGuidelines.module.css.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/cjs/features/TextualGuidelines/TextualGuideLinesComponent.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/features/TextualGuidelines/TextualGuideLinesComponent.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.163

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.131

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.