@eclipse-docks/core
Eclipse Docks platform core: registries, services, parts, widgets, and API
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/webawesome-CJyhVNu_.js | AI (source-diff): Barrel re-export of @awesome.me/webawesome components; long lines from bundled CSS/component defs, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/api-CFU8KuHz.js | AI (source-diff): Vite-bundled ESM chunk; imports lit/marked/internal modules — no actual dropper pattern. | ai | |
| source-diff | net-exec-file:dist/api-GQXzRSc-.js | AI (source-diff): Bundled Vite output chunk; network+exec pattern is from legitimate UI framework code, not malware. | ai | |
| source-diff | net-exec-file:dist/api-7hn-j6Rf.js | AI (source-diff): Standard Vite-bundled ESM chunk; network calls are workspace/FS service imports, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/api-DISr4dl4.js | AI (source-diff): Vite bundle with readable ESM imports; no malicious network/exec pattern visible in sample. | ai | |
| source-diff | net-exec-file:dist/api-CRqV4LEn.js | AI (source-diff): Vite-bundled ESM output; sample shows standard lit/marked/JSZip imports, no actual dropper pattern. | ai | |
| source-diff | net-exec-file:dist/api-CuHseuRW.js | AI (source-diff): Vite-bundled UI framework dist; network calls are workspace/API service code, not dropper behavior. SLSA provenance confirms CI build. | ai | |
| source-diff | net-exec-file:dist/api-CRZ-pC4q.js | AI (source-diff): Vite-bundled app chunk with Lit/marked imports; not malware. Pattern will recur with each build artifact rename. | ai | |
| source-diff | net-exec-file:dist/api-BgmPPeuo.js | AI (source-diff): Vite-bundled output; sample shows standard ES module imports from known deps, no malicious network/exec pattern. | ai | |
| source-diff | net-exec-file:dist/api-Cg6BlZPe.js | AI (source-diff): Vite-bundled ESM output with standard framework imports; no actual dropper/loader behavior in sampled code. | ai | |
| source-diff | obfuscated-file:dist/webawesome-CsYKhg4S.js | AI (source-diff): Barrel re-export of @awesome.me/webawesome components; long lines are from minified upstream bundle, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/api-C8Vh88fr.js | AI (source-diff): Standard Vite-bundled ESM output; network calls and dynamic execution are part of the documented platform API, not dropper behavior. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions publisher is consistent with SLSA-attested CI/CD pipeline; not a compromise indicator. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped Eclipse platform package; name similarity to 'cors' is coincidental, not a squatting attempt. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in a JS runtime worker to execute user-supplied scripts; intentional design, not malicious code execution. | ai | |
| phantom-deps | phantom-dep:@fortawesome/free-solid-svg-icons | AI (phantom-deps): Same as above — config-level reference, not a direct import. | ai | |
| phantom-deps | phantom-dep:@fortawesome/fontawesome-svg-core | AI (phantom-deps): Same as above — config-level reference, not a direct import. | ai | |
| phantom-deps | phantom-dep:@fortawesome/fontawesome-free | AI (phantom-deps): FontAwesome deps referenced in config/externals, not directly imported in source; stable false positive for this package. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 0.7.110 | 8 / 7 | |
| 0.7.109 | 8 / 7 | |
| 0.7.108 | 8 / 7 | |
| 0.7.107 | 8 / 7 | |
| 0.7.106 | 8 / 7 | |
| 0.7.105 | 8 / 7 | |
| 0.7.104 | 8 / 7 | |
| 0.7.103 | 8 / 7 | |
| 0.7.102 | 8 / 7 | |
| 0.7.101 | 8 / 7 | |
| 0.7.100 | 8 / 7 | |
| 0.7.99 | 8 / 7 | |
| 0.7.98 | 8 / 7 | |
| 0.7.97 | 8 / 7 | |
| 0.7.96 | 8 / 7 | |
| 0.7.95 | 8 / 7 | |
| 0.7.94 | 8 / 7 | |
| 0.7.93 | 8 / 7 | |
| 0.7.92 | 8 / 7 | |
| 0.7.91 | 8 / 7 | |
| 0.7.90 | 8 / 7 | |
| 0.7.89 | 8 / 7 | |
| 0.7.88 | 8 / 7 | |
| 0.7.87 | 8 / 7 | |
| 0.7.86 | 8 / 7 | |
| 0.7.85 | 8 / 7 | |
| 0.7.84 | 8 / 7 | |
| 0.7.83 | 8 / 7 | |
| 0.7.82 | 8 / 7 | |
| 0.7.81 | 8 / 7 | |
| 0.7.80 | 8 / 7 | |
| 0.7.79 | 8 / 7 | |
| 0.7.78 | 8 / 7 | |
| 0.7.77 | 8 / 7 | |
| 0.7.76 | 8 / 6 | |
| 0.7.75 | 8 / 6 | |
| 0.7.74 | 8 / 6 | |
| 0.7.73 | 8 / 6 | |
| 0.7.72 | 8 / 6 | |
| 0.7.71 | 8 / 6 | |
| 0.7.70 | 8 / 6 | |
| 0.7.69 | 8 / 6 | |
| 0.7.68 | 8 / 6 |
v0.7.110
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.109
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.108
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.107
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.106
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.105
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.104
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.103
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.102
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.101
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.100
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.99
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.98
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.97
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.96
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.95
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.94
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.93
4 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.92
4 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.91
4 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.90
4 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.89
4 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.88
4 findingsThis version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.87
4 findingsThis version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.86
4 findingsThis version was published by a different npm account than previous versions on 2026-04-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.85
4 findingsThis version was published by a different npm account than previous versions on 2026-04-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.84
4 findingsThis version was published by a different npm account than previous versions on 2026-04-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.83
4 findingsThis version was published by a different npm account than previous versions on 2026-04-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.82
4 findingsThis version was published by a different npm account than previous versions on 2026-04-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.81
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.80
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.79
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.78
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.77
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.76
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.75
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.74
4 findingsThis version was published by a different npm account than previous versions on 2026-04-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.73
4 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.72
4 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.71
2 findingsThis version was published by a different npm account than previous versions on 2026-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.70
2 findingsThis version was published by a different npm account than previous versions on 2026-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.69
2 findingsThis version was published by a different npm account than previous versions on 2026-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.68
2 findingsPackage name '@eclipse-docks/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.