@forinda/kickjs
A production-grade, decorator-driven Node.js framework built on Express 5 and TypeScript.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/container-DrioVLNv.mjs | AI (source-diff): Standard minified ESM bundle from tsdown/Vite build; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-CmFQq1ar.mjs | AI (source-diff): Standard minified ESM bundle from tsdown/Vite build; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/application-Zt956jNS.mjs | AI (source-diff): Standard minified ESM bundle from tsdown/Vite build; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-MvABl8Cl.mjs | AI (source-diff): Standard minified ESM bundle from tsdown/Vite build; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/context-B4BeGq1B.mjs | AI (source-diff): Standard minified ESM bundle from tsdown/Vite build; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/application-DbUe_4St.mjs | AI (source-diff): Standard minified ESM build output from tsdown/Vite with MIT header and source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-DR36jGxB.mjs | AI (source-diff): Standard minified ESM build output from tsdown/Vite with MIT header and source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/context-CPW8cxav.mjs | AI (source-diff): Standard minified ESM build output from tsdown/Vite with MIT header and source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/container-jPCvIZH2.mjs | AI (source-diff): Standard minified ESM build output from tsdown/Vite with MIT header and source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-Dqyit14A.mjs | AI (source-diff): Standard minified ESM build output from tsdown/Vite with MIT header and source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-D86s_Aac.mjs | AI (source-diff): Standard minified ESM bundle; cluster management code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/core-CJKmg8QR.mjs | AI (source-diff): Standard minified ESM bundle; module registry/decorator logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/context-CvJQzbBF.mjs | AI (source-diff): Standard minified ESM bundle; request context/AsyncLocalStorage logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/container-COmj1vM3.mjs | AI (source-diff): Standard minified ESM bundle; DI container logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/application-Bg_-CIPK.mjs | AI (source-diff): Standard minified ESM bundle from tsdown/Vite build; MIT header present, readable framework logic, source maps included. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-DJmYYyw7.mjs | AI (source-diff): Standard minified ESM bundle from tsdown build; content is readable cluster/bootstrap code. | ai | |
| source-diff | obfuscated-file:dist/container-pRv37ZRS.mjs | AI (source-diff): Standard minified ESM bundle from tsdown build; content is readable DI container code. | ai | |
| source-diff | obfuscated-file:dist/core-XkTLgdql.mjs | AI (source-diff): Standard minified ESM bundle from tsdown build; content is readable module/decorator framework code. | ai | |
| source-diff | obfuscated-file:dist/application-BChmaBl7.mjs | AI (source-diff): Standard minified ESM bundle from tsdown build; content is readable framework code with license header. | ai | |
| source-diff | obfuscated-file:dist/context-KJOHBItp.mjs | AI (source-diff): Standard minified ESM bundle from tsdown build; content is readable request context code. | ai | |
| source-diff | obfuscated-file:dist/context-CnyTYykn.mjs | AI (source-diff): Standard bundler minification; AsyncLocalStorage request context, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/application-BTlWEKp2.mjs | AI (source-diff): Standard bundler minification (tsdown); MIT header present, source maps included, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-DoEPezno.mjs | AI (source-diff): Standard bundler minification; legitimate cluster/worker management code. | ai | |
| source-diff | obfuscated-file:dist/container-Bq8VjG_Y.mjs | AI (source-diff): Standard bundler minification; DI container logic, no exfiltration. | ai | |
| source-diff | obfuscated-file:dist/core-CGEbLIPv.mjs | AI (source-diff): Standard bundler minification; module/decorator framework code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/application-BQN6JUFA.mjs | AI (source-diff): Standard Vite/tsdown minified ESM bundle with MIT header and readable logic; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:cookie-parser | AI (phantom-deps): cookie-parser is a declared runtime dep used as Express middleware; not directly imported in framework source. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): pino-pretty is a declared runtime dep used as optional logger transport; not directly imported in source. | ai | |
| source-diff | obfuscated-file:dist/core-Cd5c8LhS.mjs | AI (source-diff): Standard Vite/tsdown minified ESM bundle; module/decorator framework code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/context-CtiMB_tb.mjs | AI (source-diff): Standard Vite/tsdown minified ESM bundle; request context code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/container-B1X8WRwl.mjs | AI (source-diff): Standard Vite/tsdown minified ESM bundle; DI container code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-B9xvalW_.mjs | AI (source-diff): Standard Vite/tsdown minified ESM bundle; cluster/worker management code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-DK8o5euq.mjs | AI (source-diff): Standard minified ESM bundle; cluster/worker management code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/core-Cs7Djz9w.mjs | AI (source-diff): Standard minified ESM bundle; module/decorator framework code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/context-DpIvcO8X.mjs | AI (source-diff): Standard minified ESM bundle; request context/AsyncLocalStorage code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/container-CBeLvm_9.mjs | AI (source-diff): Standard minified ESM bundle; DI container code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/application-CbRBh5Dd.mjs | AI (source-diff): Standard minified ESM bundle from tsdown build tool; readable framework code with MIT header. | ai | |
| source-diff | obfuscated-file:dist/bootstrap-DJYEnmqz.mjs | AI (source-diff): Standard minified ESM build output; cluster/worker management code visible in sample, no malicious patterns. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation — consistent with CI/CD automated publishing for this package. | ai | |
| source-diff | obfuscated-file:dist/core-BjXLPPbZ.mjs | AI (source-diff): Standard minified ESM build output; module/decorator framework code visible in sample, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/context-DgFUi-PJ.mjs | AI (source-diff): Standard minified ESM build output; request context/AsyncLocalStorage code visible in sample, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/container-DziUYitn.mjs | AI (source-diff): Standard minified ESM build output; DI container code visible in sample, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/application-DGTMRqB5.mjs | AI (source-diff): Standard minified ESM build output from tsdown/vite; copyright header and readable framework code confirm legitimate bundling. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 5.14.1 | 2 / 9 | |
| 5.13.1 | 1 / 9 | |
| 5.13.0 | 1 / 9 | |
| 5.9.1 | 6 / 8 | |
| 5.9.0 | 6 / 8 | |
| 5.7.1 | 6 / 8 | |
| 5.7.0 | 6 / 8 | |
| 5.5.0 | 6 / 8 | |
| 5.3.0 | 6 / 8 | |
| 5.2.0 | 6 / 8 | |
| 5.1.0 | 6 / 8 | |
| 5.0.2 | 6 / 8 | |
| 5.0.1 | 6 / 8 | |
| 5.0.0 | 6 / 8 | |
| 4.2.0 | 6 / 8 | |
| 4.1.0 | 6 / 8 | |
| 4.0.0 | 6 / 8 | |
| 3.2.0 | 6 / 8 | |
| 3.1.3 | 6 / 8 | |
| 3.1.2 | 6 / 8 | |
| 3.1.1 | 6 / 8 | |
| 3.1.0 | 6 / 8 | |
| 3.0.8 | 6 / 8 | |
| 3.0.7 | 6 / 8 | |
| 3.0.6 | 6 / 8 | |
| 3.0.5 | 6 / 8 | |
| 3.0.4 | 6 / 8 | |
| 3.0.3 | 6 / 8 | |
| 3.0.2 | 6 / 8 | |
| 3.0.0 | 6 / 8 | |
| 2.3.3 | 6 / 8 | |
| 2.3.2 | 6 / 8 | |
| 2.3.1 | 6 / 8 | |
| 2.3.0 | 6 / 8 | |
| 2.2.5 | 6 / 8 | |
| 2.2.4 | 6 / 8 | |
| 2.2.3 | 6 / 8 | |
| 2.2.2 | 6 / 8 | |
| 2.2.1 | 5 / 8 | |
| 2.2.0 | 5 / 8 | |
| 2.1.0 | 5 / 8 | |
| 0.2.0 | 1 / 19 | |
| 0.1.6 | 1 / 19 |
v5.14.1
7 findingsThis version was published by a different npm account than previous versions on 2026-05-30. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.13.1
7 findingsThis version was published by a different npm account than previous versions on 2026-05-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.13.0
7 findingsThis version was published by a different npm account than previous versions on 2026-05-23. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.9.1
7 findingsThis version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.9.0
7 findingsThis version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.7.1
7 findingsThis version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.7.0
7 findingsThis version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.5.0
7 findingsThis version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.3.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.