@eclipse-scout/core
Eclipse Scout runtime
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/eclipse-scout-core-86985901bd76402b67fb.min.js | AI (source-diff): Standard minified UI framework bundle; network+eval pattern is from reflect-metadata polyfill, not malware. | ai | |
| source-diff | net-exec-file:dist/eclipse-scout-core-2de1d54060fc617ddb6f.min.js | AI (source-diff): Standard minified framework bundle; net+exec pattern is reflect-metadata polyfill, not malware. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Established Eclipse Scout scoped package; not a typosquat of cors — name reflects the Eclipse project namespace. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is inside vendored log4javascript-1.4.9 debug console; not framework code and not a supply-chain risk. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() used in a Proxy handler for legitimate object delegation; standard TypeScript framework pattern. | ai |
v26.1.15
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.1.12
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.