@form-create/core
FormCreate低代码表单渲染引擎,可以通过 JSON 生成具有动态渲染、数据收集、验证和提交功能的低代码表单。支持6个UI框架,适配移动端,并且支持生成任何 Vue 组件。
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/index.min.js | AI (source-diff): Standard UMD bundle for a low-code form renderer; no actual network/dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): Standard minified UMD bundle with clear copyright header; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index.js | AI (source-diff): UMD require('vue') + new Function for conditional logic; expected pattern for this form-rendering library. | ai | |
| source-diff | net-exec-file:dist/index.esm.min.js | AI (source-diff): Minified Vue form-engine bundle; network calls are Vue reactivity/fetch patterns, not dropper behavior. Stable for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() used for evaluating form condition expressions — expected pattern in a low-code form engine. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package in established form-create ecosystem; name similarity to 'cors' is coincidental. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 3.3.1 | 1 / 7 | |
| 3.3.0 | 1 / 7 | |
| 3.2.42 | 1 / 0 | |
| 3.2.41 | 1 / 0 | |
| 3.2.40 | 1 / 0 | |
| 3.2.39 | 1 / 0 | |
| 3.2.37 | 1 / 0 | |
| 3.2.36 | 1 / 0 | |
| 3.2.35 | 1 / 0 | |
| 3.2.34 | 1 / 0 | |
| 3.2.33 | 1 / 0 | |
| 2.7.27 | 1 / 1 | |
| 2.7.26 | 1 / 1 | |
| 2.7.25 | 1 / 1 | |
| 2.7.24 | 1 / 1 | |
| 2.7.23 | 1 / 1 | |
| 2.7.22 | 1 / 1 | |
| 2.7.21 | 1 / 1 | |
| 2.7.20 | 1 / 1 | |
| 2.7.19 | 1 / 1 | |
| 2.7.18 | 1 / 1 | |
| 2.7.17 | 1 / 1 | |
| 2.7.16 | 1 / 1 | |
| 2.7.15 | 1 / 1 | |
| 2.7.14 | 1 / 1 | |
| 2.7.12 | 1 / 1 | |
| 2.7.11 | 1 / 1 | |
| 2.7.10 | 1 / 1 | |
| 2.7.9 | 1 / 1 | |
| 2.7.8 | 1 / 1 | |
| 2.7.7 | 1 / 1 | |
| 2.6.3 | 1 / 1 |
v3.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.41
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.40
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.39
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.21
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.3
2 findingsPackage name '@form-create/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.