@feedmepos/mf-menu
# mf-menu
2
Versions
UNLICENSED
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
victor.chailokingweidanielmcfluffy
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/assets/menu-export-CRtF4W1I.js | AI (source-diff): Vite-minified asset bundle; standard build output. | ai | |
| source-diff | obfuscated-file:dist/assets/linked-status-68qGGp41.js | AI (source-diff): Vite-minified asset bundle; standard build output. | ai | |
| source-diff | net-exec-file:dist/jszip.min-BiRK-xY3.js | AI (source-diff): JSZip uses dynamic patterns internally; no network exfiltration. | ai | |
| source-diff | obfuscated-file:dist/jszip.min-BiRK-xY3.js | AI (source-diff): JSZip minified library; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/InventoryBinding.vue_vue_type_script_setup_true_lang-Ci-CaBED.js | AI (source-diff): Minified Vue component; leaked CI env vars are build hygiene issue, not consumer threat. | ai | |
| source-diff | net-exec-file:dist/index.vue_vue_type_script_setup_true_lang-DyiwvQnC.js | AI (source-diff): Firebase SDK network calls; CJS interop pattern, not malware. | ai | |
| source-diff | obfuscated-file:dist/app-BC-PDZ1J.js | AI (source-diff): Standard Vite-minified Vue3 bundle; readable imports from feedmepos org packages. | ai | |
| source-diff | obfuscated-file:dist/App-Bt5lFavE.js | AI (source-diff): Minified Vue3 app bundle with Firebase/flagsmith; no malicious payload. | ai | |
| source-diff | net-exec-file:dist/App-Bt5lFavE.js | AI (source-diff): Network calls are Firebase SDK; dynamic code is flagsmith CJS wrapper pattern. | ai | |
| source-diff | obfuscated-file:dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-DPAxkce6.js | AI (source-diff): Minified Vue component bundle including SheetJS xlsx; legitimate build output. | ai | |
| source-diff | net-exec-file:dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-DPAxkce6.js | AI (source-diff): SheetJS and Vue component; no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/index.vue_vue_type_script_setup_true_lang-DyiwvQnC.js | AI (source-diff): Main bundle with dayjs/pinia/Firebase; standard Vite minification. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large bundle count is expected for a micro-frontend with many Vue components and bundled deps. | ai | |
| source-diff | obfuscated-file:dist/RuleView.vue_vue_type_script_setup_true_lang-Cc_k57qi.js | AI (source-diff): Minified Vue component; standard build output. | ai | |
| source-diff | obfuscated-file:dist/assets/override-menu-DB0DJf_x.js | AI (source-diff): Vite-minified asset bundle; standard build output. | ai | |
| source-diff | obfuscated-file:dist/jszip.min-OZZMb1gD.js | AI (source-diff): jszip minified library bundle; expected artifact. | ai | |
| source-diff | obfuscated-file:dist/InventoryBinding.vue_vue_type_script_setup_true_lang-Cnq9QAeQ.js | AI (source-diff): Minified Vue component; CI env vars baked in are a build hygiene issue, not malware. | ai | |
| source-diff | net-exec-file:dist/index.vue_vue_type_script_setup_true_lang-IHmRgZTC.js | AI (source-diff): Firebase SDK network calls; commonjs interop dynamic execution is standard bundler pattern. | ai | |
| source-diff | obfuscated-file:dist/index.vue_vue_type_script_setup_true_lang-IHmRgZTC.js | AI (source-diff): Main bundle with Firebase/pinia/dayjs; standard Vite minification. | ai | |
| source-diff | net-exec-file:dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-hEPchEwW.js | AI (source-diff): xlsx.js bundled library; network+exec pattern is false positive for this build artifact. | ai | |
| source-diff | obfuscated-file:dist/RuleView.vue_vue_type_script_setup_true_lang-01qpukRE.js | AI (source-diff): Standard Vite minified Vue component bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/override-menu-CVjWw9he.js | AI (source-diff): Standard Vite minified asset bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/menu-export-rmsdV9dK.js | AI (source-diff): Standard Vite minified asset bundle. | ai | |
| source-diff | obfuscated-file:dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-hEPchEwW.js | AI (source-diff): Minified Vue component bundle including xlsx.js; standard build output. | ai | |
| source-diff | obfuscated-file:dist/app-BSpY6Pgy.js | AI (source-diff): Standard Vite minified output for feedmepos Vue micro-frontend; consistent across versions. | ai | |
| source-diff | obfuscated-file:dist/App-DqpxV0zp.js | AI (source-diff): Standard Vite minified output; samples show Vue/Firebase/flagsmith bundle, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/App-DqpxV0zp.js | AI (source-diff): Network calls are Firebase SDK; dynamic execution is flagsmith/commonjs interop pattern, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/linked-status-DojmxFzq.js | AI (source-diff): Standard Vite minified asset bundle. | ai | |
| source-diff | net-exec-file:dist/jszip.min-OZZMb1gD.js | AI (source-diff): jszip is a legitimate compression library; false positive for net-exec rule. | ai | |
| source-diff | obfuscated-file:dist/assets/override-menu-CASoFjhZ.js | AI (source-diff): Standard Vite minified bundle output. | ai | |
| source-diff | obfuscated-file:dist/app-BU6wILmn.js | AI (source-diff): Standard Vite minified bundle output for this org's micro-frontend; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:dist/App-C9b4SjED.js | AI (source-diff): Standard Vite minified bundle output. | ai | |
| source-diff | net-exec-file:dist/App-C9b4SjED.js | AI (source-diff): Network calls are Firebase SDK; dynamic code is flagsmith feature-flag SDK bundled via Vite. | ai | |
| source-diff | obfuscated-file:dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-Dpx4meDa.js | AI (source-diff): Standard Vite minified bundle; xlsx library bundled inline. | ai | |
| source-diff | net-exec-file:dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-Dpx4meDa.js | AI (source-diff): xlsx library bundled via Vite; no malicious network/exec pattern. | ai | |
| source-diff | obfuscated-file:dist/index.vue_vue_type_script_setup_true_lang-DSZsSghE.js | AI (source-diff): Standard Vite minified bundle output. | ai | |
| source-diff | net-exec-file:dist/index.vue_vue_type_script_setup_true_lang-DSZsSghE.js | AI (source-diff): Firebase SDK + dayjs bundled; no malicious pattern. | ai | |
| source-diff | obfuscated-file:dist/InventoryBinding.vue_vue_type_script_setup_true_lang-DzzwwdA_.js | AI (source-diff): Standard Vite bundle; leaked CI env vars are a hygiene issue, not malware. | ai | |
| source-diff | obfuscated-file:dist/jszip.min-DlpCmtaR.js | AI (source-diff): jszip minified library bundled via Vite. | ai | |
| source-diff | net-exec-file:dist/jszip.min-DlpCmtaR.js | AI (source-diff): jszip is a well-known library; no malicious pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/linked-status-DTIHdzDw.js | AI (source-diff): Standard Vite minified bundle output. | ai | |
| source-diff | obfuscated-file:dist/assets/menu-export-CpcyYnR-.js | AI (source-diff): Standard Vite minified bundle output. | ai | |
| source-diff | obfuscated-file:dist/RuleView.vue_vue_type_script_setup_true_lang-DaCVUn1i.js | AI (source-diff): Standard Vite minified bundle output. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Large monorepo MFE; phantom deps are expected due to shared module federation boundaries. | ai | |
| phantom-deps | phantom-dep:@feedmepos/zod-entity | AI (phantom-deps): Internal org package; MFE federation boundary. | ai | |
| phantom-deps | phantom-dep:@types/dinero.js | AI (phantom-deps): Type-only package; not imported at runtime. | ai | |
| phantom-deps | phantom-dep:vite-svg-loader | AI (phantom-deps): Build-time plugin; not imported in runtime source. | ai | |
| phantom-deps | phantom-dep:@feedmepos/auth | AI (phantom-deps): Internal org package; MFE federation boundary explains phantom detection. | ai | |
| phantom-deps | phantom-dep:vue3-carousel | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:vuedraggable | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:vue3-lottie | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:i18next-vue | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:change-case | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:file-saver | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:dotenv-cli | AI (phantom-deps): CLI tool used in scripts; not imported in source. | ai | |
| phantom-deps | phantom-dep:vue-i18n | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:firebase | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:i18next | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:exceljs | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:canvas | AI (phantom-deps): Same monorepo MFE pattern. | ai | |
| phantom-deps | phantom-dep:jszip | AI (phantom-deps): Same monorepo MFE pattern; not a real missing import. | ai |
v0.32.43
15 findings
HIGH
New obfuscated file: dist/app-BU6wILmn.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New obfuscated file: dist/App-C9b4SjED.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New file with network + code execution: dist/App-C9b4SjED.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
HIGH
New obfuscated file: dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-Dpx4meDa.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New file with network + code execution: dist/ImportProductDialog.vue_vue_type_script_setup_true_lang-Dpx4meDa.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
HIGH
New obfuscated file: dist/index.vue_vue_type_script_setup_true_lang-DSZsSghE.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New file with network + code execution: dist/index.vue_vue_type_script_setup_true_lang-DSZsSghE.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
HIGH
New obfuscated file: dist/InventoryBinding.vue_vue_type_script_setup_true_lang-DzzwwdA_.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New obfuscated file: dist/jszip.min-DlpCmtaR.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New file with network + code execution: dist/jszip.min-DlpCmtaR.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
HIGH
New obfuscated file: dist/assets/linked-status-DTIHdzDw.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New obfuscated file: dist/assets/menu-export-CpcyYnR-.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New obfuscated file: dist/assets/override-menu-CASoFjhZ.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New obfuscated file: dist/RuleView.vue_vue_type_script_setup_true_lang-DaCVUn1i.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.