@griffel/devtools
Griffel chrome devtools extension
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:assets/index-D2Fr0pV5.js | AI (source-diff): Vite-bundled browser asset for a Chrome DevTools extension; minification is expected and benign for this package. | ai | |
| source-diff | net-exec-file:assets/index-D2Fr0pV5.js | AI (source-diff): Network calls are modulepreload polyfill fetch(); no dynamic code execution beyond standard React/Vite bundle patterns. | ai | |
| source-diff | obfuscated-file:assets/index-CtY3dAOe.js | AI (source-diff): Minified browser bundle for a Chrome DevTools extension; standard Vite/Rollup output, not obfuscation. | ai | |
| source-diff | net-exec-file:assets/index-CtY3dAOe.js | AI (source-diff): fetch() is the modulepreload polyfill; no dynamic code execution (eval/Function); false positive for bundled browser assets. | ai | |
| phantom-deps | phantom-dep:@griffel/react | AI (phantom-deps): Same-org dep used in the bundled assets; phantom-dep heuristic fires on bundled code, stable FP for this package. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.3.12 | 1 / 0 | |
| 0.3.11 | 1 / 0 | |
| 0.3.10 | 0 / 1 | |
| 0.3.9 | 0 / 1 | |
| 0.3.8 | 0 / 1 | |
| 0.3.7 | 0 / 1 | |
| 0.3.6 | 0 / 1 | |
| 0.3.5 | 0 / 1 | |
| 0.3.4 | 0 / 1 | |
| 0.3.3 | 0 / 1 |
v0.3.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.