@feedmepos/mf-remy-panel
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/app-722c1500.js | AI (source-diff): Standard Vite bundle output; readable imports confirm legitimate Vue/AI SDK code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-76398cf7.js | AI (source-diff): Standard Vite minified bundle; samples show readable Vue/Pinia imports and i18n strings, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/HomeView-94f1fa26.js | AI (source-diff): Standard Vite minified bundle; samples show readable Vue component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-1181f0d1.js | AI (source-diff): Standard Vite bundle output; readable imports visible in sample, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-5daba510.js | AI (source-diff): Standard Vite minified bundle output; readable imports and strings confirm no actual obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-919731f0.js | AI (source-diff): Standard Vite minified bundle; readable imports confirm legitimate bundled code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-5113f5e3.js | AI (source-diff): Standard Vite minified bundle for a Vue frontend; long lines are minified JS, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/app-5113f5e3.js | AI (source-diff): Network calls (axios/fetch) and dynamic imports are expected in a Vue SPA bundle; no dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/HomeView-63ccdc72.js | AI (source-diff): Standard Vite minified bundle; samples show plain Vue component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-90f7d88b.js | AI (source-diff): Standard Vite minified bundle; samples show plain Vue/Pinia imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-7dff1a24.js | AI (source-diff): Standard Vite minified bundle; sample shows plain Vue/pinia imports and i18n strings, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/HomeView-58ed998f.js | AI (source-diff): Standard Vite minified bundle; samples show readable Vue component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-86f97ba0.js | AI (source-diff): Standard Vite minified bundle; samples show readable Vue/Pinia imports, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/app-c8babfbe.js | AI (source-diff): Network calls and dynamic code in a Vite-bundled frontend app are expected; no dropper pattern in sample. | ai | |
| source-diff | obfuscated-file:dist/app-c8babfbe.js | AI (source-diff): Standard Vite minified ESM bundle; sample shows readable Vue/Pinia imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-2d2542ae.js | AI (source-diff): Standard Vite minified bundle for a Vue micro-frontend; content-hash filename is expected pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/app-e10b3430.js | AI (source-diff): Standard Vite/Rollup minified bundle; readable imports and class names confirm normal build output, not obfuscation. | ai | |
| phantom-deps | phantom-dep:jszip | AI (phantom-deps): jszip declared as runtime dep with @types/jszip in devDeps; bundled into dist, so direct import not visible at package level. | ai | |
| source-diff | net-exec-file:dist/app-e10b3430.js | AI (source-diff): Network calls and dynamic code in a bundled Vue SPA are expected; no dropper pattern visible in sample. | ai | |
| source-diff | net-exec-file:dist/app-cc4aa661.js | AI (source-diff): Network calls and dynamic code in a Vite-bundled SPA are expected; no dropper pattern visible in sample. | ai | |
| source-diff | obfuscated-file:dist/app-cc4aa661.js | AI (source-diff): Standard Vite minified bundle for a Vue micro-frontend; not intentionally obfuscated. | ai | |
| source-diff | obfuscated-file:dist/app-5b4fe84c.js | AI (source-diff): Standard Vite minified bundle; readable Vue/Pinia imports visible in sample, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/HomeView-290f3cb8.js | AI (source-diff): Standard Vite minified bundle; readable Vue component code visible in sample, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-e8ae8a45.js | AI (source-diff): Standard Vite/Rollup minified bundle; sample shows legitimate Vue/Pinia imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-b02070e4.js | AI (source-diff): Standard Vite minified bundle for a Vue microfrontend; readable imports confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/app-2331cdec.js | AI (source-diff): Standard Vite bundle output; readable imports, no obfuscation or malicious payload. | ai | |
| source-diff | obfuscated-file:dist/app-73c05327.js | AI (source-diff): Standard Vite minified bundle; samples show plain readable Vue/Pinia code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/HomeView-bd2d7032.js | AI (source-diff): Standard Vite minified bundle; samples show plain readable Vue component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-de692985.js | AI (source-diff): Standard Vite bundle output; minified but not obfuscated — readable Vue/Pinia imports visible in sample. | ai | |
| source-diff | obfuscated-file:dist/app-3c33de4d.js | AI (source-diff): Standard Vite minified bundle; samples show readable Vue/pinia imports and i18n strings, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/HomeView-6cd8ce79.js | AI (source-diff): Standard Vite minified bundle; samples show readable Vue component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-fdb0b4e7.js | AI (source-diff): Vite-bundled output; sample shows readable Vue/AI SDK code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-d1b3fb0c.js | AI (source-diff): Standard Vite minified bundle; sample shows legitimate Vue/Pinia/vue-router imports with no malicious patterns. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files consistent with expanded feature set bundled by Vite. | ai | |
| source-diff | obfuscated-file:dist/HomeView-bf91e5bf.js | AI (source-diff): Standard Vite minified bundle; imports are transparent Vue/feedmepos modules. | ai | |
| source-diff | obfuscated-file:dist/app-155358f0.js | AI (source-diff): Standard Vite minified bundle for a Vue 3 micro-frontend; readable code, no obfuscation indicators. | ai | |
| source-diff | obfuscated-file:dist/app-9ddd98c1.js | AI (source-diff): Standard Vite minified bundle for a Vue 3 microfrontend; not obfuscated, just minified build output. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a well-established, widely-used markdown parser; appropriate replacement for marked in this package. | ai | |
| source-diff | obfuscated-file:dist/app-f120082e.js | AI (source-diff): Standard Vite build output; minified but not obfuscated — readable Vue/pinia/vue-router imports visible in sample. | ai | |
| source-diff | obfuscated-file:dist/app-25c9e531.js | AI (source-diff): Standard Vite minified bundle; sample shows plain Vue/pinia imports, not obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): markdown-it replaces marked for markdown rendering; well-established package, not a suspicious addition. | ai | |
| source-diff | obfuscated-file:dist/app-78878140.js | AI (source-diff): Standard Vite minified bundle output; sample shows readable Vue/i18n code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-4896b51c.js | AI (source-diff): Standard Vite/Vue3 bundle output; samples show readable code, not malicious obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by bundling markdown-it and new chat/panel features into dist. | ai | |
| source-diff | obfuscated-file:dist/HomeView-ccf7d308.js | AI (source-diff): Standard Vite/Vue3 bundle output; samples show readable Vue component code. | ai | |
| source-diff | obfuscated-file:dist/app-ac8de4b8.js | AI (source-diff): Standard Vite minified bundle for a Vue micro-frontend; long lines are expected build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/app-c907214c.js | AI (source-diff): Standard Vite minified bundle; readable identifiers and known imports confirm legitimate build output. | ai | |
| phantom-deps | phantom-dep:@feedmepos/feature-flag | AI (phantom-deps): Same-org micro-frontend package; consumed at runtime in bundled output, not directly imported. | ai | |
| source-diff | obfuscated-file:dist/app-7dc521c0.js | AI (source-diff): Standard Vite bundle output; readable imports and no obfuscation indicators in sample. | ai | |
| phantom-deps | phantom-dep:pinia | AI (phantom-deps): Externalized peer dep in micro-frontend; stable pattern for this org's packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Private org package; no public repo/keywords expected; tiny payload is normal for a micro-frontend entry point. | ai | |
| phantom-deps | phantom-dep:@feedmepos/remy-core | AI (phantom-deps): Same-org dep externalized in micro-frontend; stable pattern. | ai | |
| phantom-deps | phantom-dep:@feedmepos/mf-common | AI (phantom-deps): Same-org dep externalized in micro-frontend; stable pattern. | ai | |
| phantom-deps | phantom-dep:highlight.js | AI (phantom-deps): Externalized dep in micro-frontend bundle; stable pattern. | ai | |
| phantom-deps | phantom-dep:vue-router | AI (phantom-deps): Externalized peer dep in micro-frontend; stable pattern for this org's packages. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Externalized dep in micro-frontend bundle; stable pattern. | ai | |
| phantom-deps | phantom-dep:vue | AI (phantom-deps): Externalized peer dep in micro-frontend; stable pattern for this org's packages. | ai | |
| phantom-deps | phantom-dep:ai | AI (phantom-deps): Likely re-exported via @ai-sdk/vue; phantom-dep heuristic fires on indirect usage. | ai | |
| phantom-deps | phantom-dep:vue-chartjs | AI (phantom-deps): Stable false positive for this microfrontend package. | ai | |
| phantom-deps | phantom-dep:markdown-it | AI (phantom-deps): Stable false positive for this microfrontend package. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/vue | AI (phantom-deps): Stable false positive for this microfrontend package. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Used for sanitization in markdown rendering; may be imported indirectly. | ai | |
| phantom-deps | phantom-dep:chart.js | AI (phantom-deps): Peer/indirect dep of vue-chartjs; phantom-dep heuristic expected to fire here. | ai | |
| phantom-deps | phantom-dep:@feedmepos/ui-library | AI (phantom-deps): Same org scope; phantom-dep heuristic unreliable for monorepo/microfrontend setups. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 0.11.1 | 14 / 21 | |
| 0.10.0 | 15 / 22 | |
| 0.9.0 | 15 / 22 | |
| 0.8.0 | 14 / 21 | |
| 0.7.0 | 14 / 21 | |
| 0.6.0 | 14 / 21 | |
| 0.5.1 | 13 / 21 | |
| 0.5.0 | 13 / 21 | |
| 0.4.2 | 13 / 21 | |
| 0.3.8 | 13 / 20 | |
| 0.3.6 | 11 / 20 | |
| 0.3.5 | 11 / 20 | |
| 0.3.3 | 11 / 20 | |
| 0.3.2 | 11 / 20 | |
| 0.3.1 | 11 / 20 | |
| 0.3.0 | 11 / 20 | |
| 0.2.11 | 8 / 21 | |
| 0.2.8 | 8 / 21 | |
| 0.2.6 | 8 / 21 | |
| 0.2.5 | 8 / 21 | |
| 0.1.3 | 8 / 21 | |
| 0.1.2 | 8 / 21 | |
| 0.1.0 | 8 / 21 | |
| 0.0.13 | 8 / 21 | |
| 0.0.10 | 8 / 21 | |
| 0.0.9 | 8 / 21 | |
| 0.0.6 | 8 / 21 | |
| 0.0.5 | 8 / 21 | |
| 0.0.4 | 8 / 19 | |
| 0.0.3 | 8 / 19 | |
| 0.0.2 | 8 / 19 | |
| 0.0.1 | 9 / 18 |
v0.11.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.11
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.13
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.