@flowfuse/flowfuse
An open source low-code development platform
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:frontend/dist/app/setup.977d8b35e25bd87678b7.js | AI (source-diff): Webpack-minified frontend chunk; standard build output for this package. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/main.0c7540b9b51085db2b3c.js | AI (source-diff): Webpack-minified frontend chunk; standard build output for this package. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/async-vendors.59ef3cc2961ccaa223b2.js | AI (source-diff): Webpack-minified vendor bundle; standard build output for this package. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/351.b1db596abcd8550f2338.js | AI (source-diff): Webpack-minified frontend chunk; standard build output for this package. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/306.1d909ec274be9101dbfa.js | AI (source-diff): Webpack-minified frontend chunk; standard build output for this package. | ai | |
| source-diff | net-exec-file:frontend/dist/app/vendors.783b2aa3017faaefcc68.js | AI (source-diff): Webpack runtime loader in vendor bundle; not a dropper — standard pattern for this SPA package. | ai | |
| phantom-deps | phantom-dep:@sentry/webpack-plugin | AI (phantom-deps): Webpack plugin referenced in webpack config, not imported directly; expected pattern. | ai | |
| phantom-deps | phantom-dep:@headlessui/vue | AI (phantom-deps): Vue UI component loaded via plugin config, not direct import; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:vue3-google-login | AI (phantom-deps): Frontend plugin registered via config; consistent with this package's Vue app pattern. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/credential-provider-node | AI (phantom-deps): AWS SDK credential provider loaded by framework convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:pinia-plugin-persistedstate | AI (phantom-deps): Pinia plugin registered via config; consistent with Vue app pattern. | ai | |
| phantom-deps | phantom-dep:@flowfuse/driver-localfs | AI (phantom-deps): Same-org driver loaded dynamically by design; stable false positive. | ai | |
| phantom-deps | phantom-dep:@flowfuse/flow-renderer | AI (phantom-deps): Same-org package loaded by convention; not a phantom dep concern. | ai | |
| phantom-deps | phantom-dep:@vuepic/vue-datepicker | AI (phantom-deps): Vue component registered via plugin config; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/setup.7e7c6737112dab660f83.js | AI (source-diff): Standard webpack setup bundle; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/main.b09d3709717814e4b520.js | AI (source-diff): Standard webpack main bundle; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/650.d0554ba6e443754b1548.js | AI (source-diff): Standard webpack-minified Vue frontend chunk; consistent with FlowFuse's build pipeline. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/39.aabcfa36578b85cd171f.js | AI (source-diff): Standard webpack-minified Vue frontend chunk; consistent with FlowFuse's build pipeline. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/async-vendors.c1ff7afd926865d3a9bd.js | AI (source-diff): Webpack async vendor chunk with Heroicons SVG components; normal build artifact. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/main.29b5294ab4c18d4e098a.js | AI (source-diff): Webpack main bundle; standard minified frontend output for FlowFuse. | ai | |
| source-diff | obfuscated-file:frontend/dist/app/setup.973fea8af982fb9cd335.js | AI (source-diff): Webpack setup bundle; standard minified frontend output for FlowFuse. | ai | |
| source-diff | net-exec-file:frontend/dist/app/vendors.6a06e499ec7c122e93f7.js | AI (source-diff): Node-RED flow renderer vendor bundle; network+eval patterns are part of the Node-RED editor, not malware. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is part of AES-256-CTR credential decryption — legitimate crypto usage. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Used for pluggable cache driver loading — documented plugin pattern for this platform. | ai | |
| phantom-deps | phantom-dep:pinia | AI (phantom-deps): Frontend state management dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:echarts | AI (phantom-deps): Frontend charting dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:highlight.js | AI (phantom-deps): Frontend syntax highlighting dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:vue-echarts | AI (phantom-deps): Frontend charting wrapper; stable false positive. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): Optional pino formatter loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@sentry/vue | AI (phantom-deps): Frontend Sentry integration; stable false positive. | ai | |
| phantom-deps | phantom-dep:vue-router | AI (phantom-deps): Frontend routing dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Frontend sanitization dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:sqlite3 | AI (phantom-deps): DB driver loaded by convention via sequelize; stable false positive. | ai | |
| phantom-deps | phantom-dep:vuex | AI (phantom-deps): Frontend framework dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:diff | AI (phantom-deps): Config-referenced frontend dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:vue | AI (phantom-deps): Vue is a frontend framework referenced in webpack/config files; phantom-dep heuristic false positive for bundled frontend apps. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Used in install-stack.js CLI helper script — expected for a platform installer binary. | ai | |
| phantom-deps | phantom-dep:vue-shepherd | AI (phantom-deps): Frontend tour dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@heroicons/vue | AI (phantom-deps): Frontend icon dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:lottie-web-vue | AI (phantom-deps): Frontend animation dep; stable false positive. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of avatar identifier — benign UI feature. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Frontend dep referenced in config; stable false positive. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 2.31.0 | 72 / 61 | |
| 2.30.1 | 71 / 60 | |
| 2.30.0 | 71 / 60 | |
| 2.29.1 | 72 / 51 | |
| 2.29.0 | 72 / 51 |
v2.31.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.1
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.