@feedmepos/mf-common
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/app-5956b5d6.js | AI (source-diff): Standard Vite minified bundle for a Vue micro-frontend; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/ItemSelector-f6a5b9a3.js | AI (source-diff): Standard Vite minified chunk; imports from sibling bundle and @feedmepos/ui-library only. | ai | |
| source-diff | net-exec-file:dist/app-5956b5d6.js | AI (source-diff): Network calls and dynamic execution are normal for a Vue SPA bundle; no dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/app-aa2ad1cf.js | AI (source-diff): Standard Vite minified bundle output for this Vue 3 micro-frontend package; consistent with prior release pattern. | ai | |
| source-diff | obfuscated-file:dist/ItemSelector-8553acdb.js | AI (source-diff): Standard Vite minified chunk importing from the main app bundle; consistent with this package's build output. | ai | |
| source-diff | net-exec-file:dist/app-aa2ad1cf.js | AI (source-diff): Network calls and dynamic execution are part of normal Vue/axios/firebase app bundle; no dropper indicators in sample. | ai | |
| source-diff | obfuscated-file:dist/app-fc269ec0.js | AI (source-diff): Standard Vite minified bundle; readable imports from known packages, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/app-fc269ec0.js | AI (source-diff): Network calls and dynamic execution are expected in a Vue SPA bundle; no dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/ItemSelector-b3775dc8.js | AI (source-diff): Standard Vite minified bundle chunk; consistent with normal build output for this package. | ai | |
| dependencies | unvetted-dep:@feedmepos/core | AI (dependencies): First-party @feedmepos org dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@feedmepos/menu | AI (dependencies): First-party @feedmepos org dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@feedmepos/custom-attributes | AI (dependencies): First-party @feedmepos org dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@feedmepos/vue-client-monitoring | AI (dependencies): First-party @feedmepos org dependency; stable pattern across all versions of this package. | ai | |
| phantom-deps | phantom-dep:sift | AI (phantom-deps): Monorepo shared lib; deps referenced in config/re-exported rather than directly imported. | ai | |
| phantom-deps | phantom-dep:vue-country-flag-next | AI (phantom-deps): Config-level reference in shared library; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vue/devtools-api | AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): Config-level reference; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:vue-i18n | AI (phantom-deps): Framework-scoped dep referenced via config convention, stable false positive. | ai | |
| phantom-deps | phantom-dep:firebase | AI (phantom-deps): Same pattern — config-level reference in a shared library bundle. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 1.29.23 | 19 / 22 | |
| 1.29.22 | 19 / 22 | |
| 1.29.21 | 19 / 22 | |
| 1.29.20 | 19 / 22 | |
| 1.29.19 | 19 / 22 | |
| 1.29.18 | 19 / 22 |
v1.29.23
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.29.22
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.29.21
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.29.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.29.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.