@estjs/server
Server-side rendering for Essor framework
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/server.cjs | AI (source-diff): Standard tsup minified build output; readable SSR logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/server.js | AI (source-diff): Standard tsup minified build output; readable SSR logic, no malicious patterns. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by bundling new @estjs/signals sibling dep into the dist output. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): Scoped Essor framework SSR package; name similarity to semver is coincidental, not impersonation. | ai |
v0.0.16
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.15
2 findingsPackage name '@estjs/server' is 1 edit(s) away from popular package 'semver'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.