@feedmepos/hrm-permission
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/rule-CcHQDgyJ.js | AI (source-diff): ESM counterpart of the same minified permission rules chunk; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/system-permission-sets-e9-x85p9.cjs | AI (source-diff): Vite/Rollup minified chunk; content is permission set definitions referencing internal enums only. | ai | |
| source-diff | obfuscated-file:dist/rule-Dm8K7Gx4.cjs | AI (source-diff): Vite/Rollup minified chunk; content is plain permission enum definitions, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/rule-CB3iDM-x.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable CASL permission definitions, not malicious code. | ai | |
| source-diff | obfuscated-file:dist/rule-CzbvqY9h.js | AI (source-diff): Standard Vite/Rollup minified ESM bundle; content is readable CASL permission definitions, not malicious code. | ai | |
| source-diff | obfuscated-file:dist/system-permission-sets-CqdvSJSU.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable permission set definitions, not malicious code. | ai | |
| source-diff | obfuscated-file:dist/system-permission-sets-BLYe3zDS.cjs | AI (source-diff): Standard Vite/Rollup minified output; content is permission-set definitions, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/rule-BL3ukqFY.cjs | AI (source-diff): Standard Vite/Rollup minified output; content is plaintext permission enums, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/rule-CgjMpWJ3.js | AI (source-diff): Standard Vite/Rollup minified ESM output; content is permission enums, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/rule-DMAHcm-4.cjs | AI (source-diff): Vite/Rollup minified output of permission enums; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/rule-BLTQXk6j.js | AI (source-diff): Vite/Rollup minified ESM output of permission enums; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/system-permission-sets-BkrT4dLN.cjs | AI (source-diff): Vite/Rollup minified output of permission sets; no malicious patterns. | ai | |
| provenance | no-provenance | AI (provenance): Published via GitHub Actions CI; no provenance attestation is common and not a risk signal for this org-internal package. | ai | |
| phantom-deps | phantom-dep:@feedmepos/ui-library | AI (phantom-deps): Same-org dep; likely re-exported transitively, not a direct import. | ai | |
| phantom-deps | phantom-dep:@feedmepos/zod-common | AI (phantom-deps): Same-org dep; likely re-exported transitively, not a direct import. | ai | |
| phantom-deps | phantom-dep:@feedmepos/core | AI (phantom-deps): Same-org dep; likely re-exported transitively, not a direct import. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 1.0.8 | 10 / 19 | |
| 1.0.7 | 10 / 19 | |
| 1.0.6 | 10 / 19 | |
| 1.0.5 | 10 / 19 | |
| 1.0.4 | 12 / 19 | |
| 1.0.3 | 12 / 19 | |
| 1.0.2 | 11 / 19 | |
| 1.0.1 | 11 / 19 | |
| 1.0.0 | 11 / 19 |
v1.0.8
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.