@fluid-app/portal-sdk
SDK for building custom Fluid portals
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/MessagingScreen-CkXV8WHH.cjs | AI (source-diff): Standard tsdown/vite bundle output with readable source, comments, and named imports — not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-BaGLql5n.cjs | AI (source-diff): Standard tsdown bundle output with source maps; long lines are minified but not obfuscated — readable code visible in sample. | ai | |
| source-diff | obfuscated-file:dist/src-UnXevN9n.cjs | AI (source-diff): Standard tsdown/rollup CJS bundle with readable source regions and known deps; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-DgbNN4BF.cjs | AI (source-diff): Standard tsdown/rollup CJS bundle with readable source regions and known deps; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-DGxCCmVB.cjs | AI (source-diff): Standard Vite/tsdown bundle with readable widget imports; long lines are minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-GLb5id9n.cjs | AI (source-diff): Same build artifact pattern; readable source with React/tanstack-query imports, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/FluidProvider-DGxCCmVB.cjs | AI (source-diff): Network calls and dynamic requires are part of the SDK's normal API client and widget loading pattern. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-8gH4_8Qn.cjs | AI (source-diff): Standard Vite/tsdown minified bundle output; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-CBDJKNe2.mjs | AI (source-diff): Standard Vite/tsdown minified bundle output; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-hXzE3QsO.mjs | AI (source-diff): Standard Vite/tsdown minified bundle output; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/FluidProvider-B3i7W5r6.cjs | AI (source-diff): Network calls and dynamic requires are normal React SDK bundle patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-B3i7W5r6.cjs | AI (source-diff): Standard Vite/tsdown minified bundle output; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-DlRwCPg8.mjs | AI (source-diff): Standard Vite bundle output; sample shows readable React/ESM code, long lines are bundler artifacts. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-_-sdlwh0.cjs | AI (source-diff): Standard Vite bundle output; sample shows readable React code with normal imports, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-ClnTfJPR.mjs | AI (source-diff): Standard ESM bundle output for messaging screen; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-CiMgrTE0.cjs | AI (source-diff): Standard Vite/tsdown bundle output; long lines are minified but readable widget imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-B0nvkVRJ.cjs | AI (source-diff): Standard Vite/tsdown bundle output for messaging feature; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-BdjVFM6g.mjs | AI (source-diff): Standard ESM bundle output; long import lines are normal for bundled SDK. | ai | |
| source-diff | net-exec-file:dist/FluidProvider-CiMgrTE0.cjs | AI (source-diff): Network calls and dynamic requires are expected in a portal SDK provider bundle; no dropper pattern visible. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-0iAzXjtW.mjs | AI (source-diff): Standard bundled ESM output for MessagingScreen; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-CJ0Rj-M7.cjs | AI (source-diff): Standard bundled CJS output for MessagingScreen feature; no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/FluidProvider-BAg3B4eD.cjs | AI (source-diff): Network calls and dynamic requires are normal React SDK bundler patterns, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-BAg3B4eD.cjs | AI (source-diff): Standard Vite/tsdown bundle output; long lines are minified but not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-C00Px_ej.mjs | AI (source-diff): Standard bundled ESM output; imports are named widget/provider modules consistent with SDK structure. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-BQjPCP_2.cjs | AI (source-diff): Sample shows standard CJS bundler re-export wrappers, not obfuscation; consistent with tsdown build output for this SDK. | ai | |
| source-diff | net-exec-file:dist/FluidProvider-BQjPCP_2.cjs | AI (source-diff): Network calls and dynamic requires are part of the SDK's widget/API client architecture, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-CZddjqma.mjs | AI (source-diff): Standard Vite/tsdown ESM bundle output; sample shows readable React code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-D3S230Ba.cjs | AI (source-diff): Standard Vite/tsdown CJS bundle output; sample shows readable React code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/FluidProvider-C9DPE1F0.cjs | AI (source-diff): Long lines are Vite/tsdown CJS bundle barrel requires, not obfuscation. Stable pattern for this build toolchain. | ai | |
| source-diff | net-exec-file:dist/FluidProvider-C9DPE1F0.cjs | AI (source-diff): Network calls and dynamic requires in a portal SDK bundle are expected; no dropper pattern visible in sample. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-CwzSY_G8.mjs | AI (source-diff): Standard tsdown/Vite bundle output; samples show readable React code, not obfuscation. | ai | |
| phantom-deps | phantom-dep:use-sync-external-store | AI (phantom-deps): Bundled transitive dep; phantom-dep false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-2M2ETWXp.cjs | AI (source-diff): Standard tsdown/Vite bundle output; samples show readable React code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/MessagingScreen-CCbgNRp1.cjs | AI (source-diff): Standard Vite/tsdown bundle output; long lines from minification, not obfuscation. Code is fully readable in sample. | ai | |
| phantom-deps | phantom-dep:embla-carousel-react | AI (phantom-deps): Carousel lib likely consumed via re-export or config; phantom-dep heuristic is a stable false positive for this SDK. | ai | |
| phantom-deps | phantom-dep:tw-animate-css | AI (phantom-deps): CSS-only package; not imported via JS but used via config/CSS — phantom-dep heuristic is a stable false positive here. | ai |
Versions (showing 51 of 56)
| Version | Deps | Published |
|---|---|---|
| 0.1.356 | 10 / 68 | |
| 0.1.355 | 10 / 68 | |
| 0.1.354 | 10 / 68 | |
| 0.1.353 | 10 / 68 | |
| 0.1.349 | 10 / 67 | |
| 0.1.348 | 10 / 67 | |
| 0.1.347 | 10 / 67 | |
| 0.1.346 | 10 / 67 | |
| 0.1.345 | 10 / 67 | |
| 0.1.329 | 10 / 67 | |
| 0.1.327 | 10 / 67 | |
| 0.1.326 | 10 / 67 | |
| 0.1.325 | 10 / 67 | |
| 0.1.324 | 10 / 67 | |
| 0.1.313 | 10 / 67 | |
| 0.1.312 | 10 / 67 | |
| 0.1.311 | 10 / 67 | |
| 0.1.310 | 10 / 67 | |
| 0.1.309 | 10 / 67 | |
| 0.1.308 | 10 / 67 | |
| 0.1.307 | 10 / 67 | |
| 0.1.306 | 10 / 67 | |
| 0.1.305 | 10 / 67 | |
| 0.1.304 | 10 / 67 | |
| 0.1.303 | 10 / 67 | |
| 0.1.302 | 10 / 67 | |
| 0.1.301 | 10 / 67 | |
| 0.1.300 | 10 / 67 | |
| 0.1.299 | 10 / 67 | |
| 0.1.298 | 10 / 67 | |
| 0.1.296 | 10 / 67 | |
| 0.1.291 | 10 / 67 | |
| 0.1.290 | 10 / 67 | |
| 0.1.289 | 10 / 67 | |
| 0.1.288 | 10 / 67 | |
| 0.1.287 | 10 / 67 | |
| 0.1.286 | 10 / 67 | |
| 0.1.285 | 10 / 67 | |
| 0.1.284 | 10 / 67 | |
| 0.1.274 | 10 / 67 | |
| 0.1.273 | 10 / 67 | |
| 0.1.251 | 10 / 67 | |
| 0.1.250 | 10 / 67 | |
| 0.1.244 | 10 / 63 | |
| 0.1.243 | 10 / 63 | |
| 0.1.242 | 10 / 63 | |
| 0.1.241 | 10 / 63 | |
| 0.1.240 | 10 / 63 | |
| 0.1.237 | 10 / 63 | |
| 0.1.236 | 10 / 63 | |
| 0.1.122 | 10 / 60 |
v0.1.356
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.355
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.354
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.353
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.349
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.348
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.347
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.346
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.345
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.329
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.327
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.326
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.325
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.324
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.313
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.312
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.311
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.310
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.309
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.308
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.307
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.306
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.305
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.304
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.303
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.302
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.301
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.300
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.299
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.298
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.296
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.291
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.290
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.289
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.288
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.287
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.286
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.285
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.284
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.274
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.273
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.251
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.250
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.244
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.243
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.242
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.241
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.240
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.237
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.122
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.