@goodchat/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/CuvMRIaM.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/pw1SUG61.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/nQ2sUYq6.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/TRhCG1Z6.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/PwM_avJm.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/Ji4Tv5Bm.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/DIUXGxaI.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/DCCctW8q.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/D25M9IDj.js | AI (source-diff): Standard SvelteKit/Svelte minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/auGLqcIB.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/CVFt1DDB.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/DxNoZhkp.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/NxZoEP3V.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/r-PxhcT3.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/w6yCQ1CX.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/entry/app.DtjN_Guz.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/0.BTvifTvy.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/2.sL3Ps55e.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/3.C5tHbN1w.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/4.B9Kezw9l.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/6.BlAHT_C5.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/7.CGewW5FG.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/8.2AOhRZ4r.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/B5qdR2ov.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/BM5rc2RC.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/BN7nk0Uq.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/BkAXD2rm.js | AI (source-diff): SvelteKit build output; minified Svelte runtime code, not malware. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/6.mKSNgSVV.js | AI (source-diff): Standard SvelteKit/Vite minified bundle output; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:drizzle-orm | AI (phantom-deps): drizzle-orm is a declared runtime dep used in config/schema files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/provider | AI (phantom-deps): Used transitively via AI SDK; declared dep referenced in config files is a stable false positive. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/2.D4W-CBoG.js | AI (source-diff): Standard SvelteKit/Vite minified bundle output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/0.B0-oO5Sd.js | AI (source-diff): Standard SvelteKit/Vite minified bundle output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/entry/app.5r36l0zY.js | AI (source-diff): Standard SvelteKit/Vite minified bundle output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/chunks/hF_jf0I1.js | AI (source-diff): Standard SvelteKit/Vite minified bundle output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/_app/immutable/nodes/8.Czphayk7.js | AI (source-diff): Standard SvelteKit/Vite minified bundle output; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:elysia | AI (phantom-deps): Legitimate dependency used in plugin/adapter architecture; declared and re-exported indirectly. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Legitimate dependency used in plugin/adapter architecture; declared and re-exported indirectly. | ai | |
| phantom-deps | phantom-dep:ai | AI (phantom-deps): Legitimate dependency used in plugin/adapter architecture; declared and re-exported indirectly. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Minor metadata gap acceptable for established package with real ecosystem adoption. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): The match is @goodchat/core vs cors — a scoped chat framework package, not an impersonation of the cors utility. The edit distance is coincidental and the packages serve entirely different purposes. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 0.0.20 | 31 / 2 | |
| 0.0.19 | 31 / 2 | |
| 0.0.16 | 31 / 2 | |
| 0.0.13 | 27 / 2 | |
| 0.0.5 | 19 / 1 | |
| 0.0.4 | 19 / 1 | |
| 0.0.3 | 19 / 1 | |
| 0.0.2 | 19 / 1 | |
| 0.0.1 | 19 / 1 |
v0.0.19
19 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.16
2 findingsPackage name '@goodchat/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.13
2 findingsPackage name '@goodchat/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
2 findingsPackage name '@goodchat/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.