@elliemae/ssf-host
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.7b0555015fdcf2116165.js | AI (source-diff): Standard webpack UMD bundle with source map; readable class/function names confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.29d46bdf0e76b4f904aa.js | AI (source-diff): Standard webpack minified bundle from established @elliemae org; not obfuscated, just minified build output. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.01546664223ea88ed947.js | AI (source-diff): Standard webpack minified bundle for this frontend library; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.7d167a52cf87253649bc.js | AI (source-diff): Standard webpack minified bundle; readable class/function names, no obfuscation or exfiltration patterns. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.9a5a93bb30c5639696e6.js | AI (source-diff): Standard webpack minified bundle with source map; consistent with this package's build output across versions. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.246f6f862bb7525e4088.js | AI (source-diff): Standard webpack minified bundle with source map; consistent with this package's build pipeline across versions. | ai | |
| source-diff | obfuscated-file:dist/umd/e2e-host.js | AI (source-diff): UMD e2e test harness minified file; benign build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/public/e2e-host.js | AI (source-diff): E2E test harness minified file; benign build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.071827d0d7e775690fbb.js | AI (source-diff): Standard webpack minified bundle output; expected artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.f42c8b4528682f31d781.js | AI (source-diff): Standard webpack minified bundle with accompanying source map; consistent with this package's build pipeline across versions. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.a4526c5eda64df08190f.js | AI (source-diff): Standard webpack minified bundle; pattern is consistent across versions of this package. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.4efd63ecd70eaeb19a04.js | AI (source-diff): Standard webpack minified bundle; long lines are minification artifacts, not obfuscation or malware. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.94ad16e13cca048a63fe.js | AI (source-diff): Standard webpack UMD bundle; readable class/function names confirm legitimate minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.5855ec3cd0fa60013d84.js | AI (source-diff): Standard webpack minified bundle; readable semantics, no malicious patterns. Stable for this package. | ai | |
| provenance | missing-githead | AI (provenance): Established ICE MT/Ellie Mae org package; missing gitHead is a CI environment change, not a malware indicator. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.9caeb564732e672b5a2a.js | AI (source-diff): Standard webpack minified bundle for a UI library; UMD pattern and readable exports confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.c285de67388a3f6cc8f9.js | AI (source-diff): Standard webpack UMD bundle with source map; readable class names confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/public/js/emuiSsfHost.110872ea16d9bc201a4f.js | AI (source-diff): Standard webpack minified bundle with source map; consistent with this package's build output across versions. | ai | |
| dependencies | unvetted-dep:@elliemae/microfe-common | AI (dependencies): Sibling package in the same @elliemae org/monorepo at the same pinned version; low risk. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal ICE MT library; sparse README and no keywords are expected for org-internal packages. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 2.28.4 | 2 / 5 | |
| 2.28.3 | 2 / 5 | |
| 2.28.2 | 2 / 5 | |
| 2.28.1 | 2 / 5 | |
| 2.28.0 | 2 / 5 | |
| 2.27.0 | 2 / 5 | |
| 2.26.0 | 2 / 5 | |
| 2.25.3 | 2 / 5 | |
| 2.25.1 | 2 / 5 | |
| 2.25.0 | 2 / 5 | |
| 2.24.0 | 2 / 5 | |
| 2.23.7 | 2 / 5 | |
| 2.23.6 | 2 / 5 | |
| 2.23.4 | 2 / 5 | |
| 2.23.2 | 2 / 5 | |
| 2.23.1 | 2 / 5 | |
| 2.22.3 | 2 / 5 | |
| 2.22.2 | 2 / 5 | |
| 2.22.0 | 2 / 5 | |
| 2.21.4 | 2 / 5 | |
| 2.21.3 | 2 / 5 | |
| 2.21.2 | 2 / 6 | |
| 2.21.1 | 2 / 6 | |
| 2.21.0 | 2 / 6 | |
| 2.20.3 | 2 / 6 | |
| 2.20.2 | 2 / 6 | |
| 2.19.2 | 2 / 5 | |
| 2.18.0 | 2 / 5 | |
| 2.17.9 | 2 / 5 | |
| 2.17.8 | 2 / 5 | |
| 2.17.5 | 2 / 5 | |
| 2.17.4 | 2 / 5 | |
| 2.17.3 | 2 / 5 | |
| 2.17.2 | 2 / 5 | |
| 2.17.0 | 2 / 5 | |
| 2.16.6 | 2 / 5 |
v2.28.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.26.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.24.0
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.21.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.18.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.16.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.