@espcompose/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/types-C0Ty-NYA.d.ts | AI (source-diff): Large .d.ts is a bundled TypeScript declaration file with readable ESPHome component interfaces, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/generated/components/binary_sensor.d.ts | AI (source-diff): Auto-generated .d.ts files with long type union lines; not obfuscation. Stable pattern for this ESPHome type-generation package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count is expected for generated ESPHome component type declarations; consistent with package purpose. | ai | |
| source-diff | obfuscated-file:dist/ec-canvas-CDNVKfxk.d.ts | AI (source-diff): Long lines are bundled TypeScript re-export maps (.d.ts), not obfuscated code. Stable pattern for this build tool. | ai | |
| source-diff | obfuscated-file:dist/serialize-BqoI98I8.d.ts | AI (source-diff): File contains readable JSDoc-annotated TypeScript interfaces; long lines are bundled .d.ts artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ec-canvas-CWFaSmUI.d.ts | AI (source-diff): Bundled TypeScript declaration file with long re-export lines; not obfuscated code, stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/ec-canvas-BctAlewg.d.ts | AI (source-diff): Bundled TypeScript declaration file from tsup --dts; long lines are re-exported type aliases, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/serialize-DPnKDIcP.d.ts | AI (source-diff): Same tsup --dts bundle pattern; content is clearly structured interface definitions for ESPHome components. | ai | |
| source-diff | obfuscated-file:dist/serialize-BZpV_MHT.d.ts | AI (source-diff): TypeScript declaration file with JSDoc-annotated interfaces; long lines from bundled type exports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ec-canvas-DZXU6dIu.d.ts | AI (source-diff): Long-line barrel export of ESPHome component type declarations; not obfuscated code, stable pattern for this build tool. | ai | |
| source-diff | obfuscated-file:dist/serialize-DkSHLIxo.d.ts | AI (source-diff): Bundled TypeScript declaration file from tsup --dts; content is readable JSDoc-annotated interfaces, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ec-canvas-BiKqeKVB.d.ts | AI (source-diff): Bundled TypeScript declaration file from tsup --dts; long lines are re-exported type aliases, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ec-canvas-COaXzvTj.d.ts | AI (source-diff): Long-line .d.ts files are tsup-generated type declaration bundles for ESPHome components; not executable obfuscation. | ai | |
| source-diff | obfuscated-file:dist/serialize-BF-PTuLX.d.ts | AI (source-diff): Same pattern: tsup-bundled TypeScript declarations with readable interface definitions; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/serialize-ribeQZ4S.d.ts | AI (source-diff): Large auto-generated .d.ts bundle from tsup; long lines are normal for bundled type declarations, not obfuscation. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped ESPHome SDK package; name similarity to 'cors' is coincidental, not impersonation. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 0.7.1 | 0 / 8 | |
| 0.7.0 | 0 / 8 | |
| 0.6.3 | 0 / 8 | |
| 0.6.2 | 0 / 8 | |
| 0.6.1 | 0 / 8 | |
| 0.6.0 | 0 / 8 | |
| 0.5.0 | 0 / 8 | |
| 0.4.0 | 0 / 8 | |
| 0.3.2 | 0 / 8 | |
| 0.3.1 | 0 / 8 | |
| 0.2.2 | 0 / 8 | |
| 0.2.1 | 0 / 8 | |
| 0.2.0 | 0 / 8 | |
| 0.1.0 | 0 / 8 | |
| 0.0.1 | 0 / 8 |
v0.7.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.3
2 findingsPackage name '@espcompose/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.