@hh.ru/magritte-ui-action
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:Skeleton-Je7ijpC6.js | AI (source-diff): Standard bundled output with CSS module hashes; consistent with this org's build pattern across all versions. | ai | |
| source-diff | obfuscated-file:Skeleton-CtsUWV6B.js | AI (source-diff): Standard bundled output with inlined CSS modules; long lines are CSS class name maps, not obfuscation. | ai | |
| source-diff | obfuscated-file:Skeleton-Ci81sBQo.js | AI (source-diff): Long lines are CSS-modules style objects in bundled output; standard pattern for this UI component library. | ai | |
| source-diff | obfuscated-file:Skeleton-BswbZGS8.js | AI (source-diff): Long lines are CSS module maps in a bundled React component — standard build output for this package family. | ai | |
| source-diff | obfuscated-file:Skeleton-B_VK5MYj.js | AI (source-diff): Long lines are CSS module class-name maps from bundler output, not obfuscation; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:Skeleton-BNHJnv7K.js | AI (source-diff): Long-line content is a CSS-modules class-name map generated by the build toolchain, not obfuscation. | ai | |
| source-diff | obfuscated-file:Skeleton-DGKb4lyD.js | AI (source-diff): Long lines are CSS module class-name maps in a standard Rollup bundle, not obfuscation. Stable pattern for this UI component package. | ai | |
| source-diff | obfuscated-file:Skeleton-8-rfnnmv.js | AI (source-diff): Long line is a CSS-modules class-name map (build artifact), not obfuscated malicious code; stable pattern for this UI component package. | ai | |
| source-diff | obfuscated-file:Skeleton-Dop5QxKs.js | AI (source-diff): Long lines are CSS-modules class-name maps inlined by bundler; consistent pattern across this org's packages. | ai | |
| source-diff | obfuscated-file:Skeleton-B7NZ2jJ9.js | AI (source-diff): Long lines are CSS-modules class-name maps in a bundled JS file — standard build output for this UI component library. | ai | |
| source-diff | obfuscated-file:Skeleton-BnGGzUPQ.js | AI (source-diff): Long line is a CSS-modules class-name map, not obfuscated code; standard build output for this UI component library. | ai | |
| source-diff | obfuscated-file:Skeleton-DpsXq9wq.js | AI (source-diff): Long lines are CSS-modules class-name maps in a bundled UI component, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:Skeleton-6sKTgntc.js | AI (source-diff): Standard minified build artifact with CSS module class maps; consistent with this UI component library's build output. | ai | |
| source-diff | obfuscated-file:Skeleton-BS9gJMuB.js | AI (source-diff): Long lines are CSS-module class-name maps in a bundled React component, not obfuscation. Stable pattern for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Large hh.ru monorepo; sub-packages publish infrequently. Trusted publisher with 474 approved packages. | ai | |
| source-diff | obfuscated-file:Skeleton-BR6JJ9Pn.js | AI (source-diff): Long lines are CSS-modules class-name maps in a standard build bundle, not obfuscation. | ai | |
| source-diff | obfuscated-file:Skeleton-wCoBetwY.js | AI (source-diff): Standard bundled output with CSS module class maps; consistent with this UI component library's build pattern. | ai | |
| source-diff | obfuscated-file:Skeleton-CLOG-1us.js | AI (source-diff): Long lines are CSS module class-name maps inlined by the bundler — standard build artifact for this package family. | ai | |
| source-diff | obfuscated-file:Skeleton-DJ6ig5YO.js | AI (source-diff): Long lines are CSS module class-name maps in a bundled React component; not obfuscation. | ai | |
| source-diff | obfuscated-file:Skeleton-fQmPLPes.js | AI (source-diff): Standard minified React/CSS-modules bundle from established hh.ru UI library; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:Skeleton-BV4D5YMA.js | AI (source-diff): Standard minified CSS-modules bundle from a React UI library; long lines are CSS class name maps, not obfuscation. | ai | |
| source-diff | obfuscated-file:Skeleton-B69UogVA.js | AI (source-diff): Long lines are CSS-modules class-name maps inlined into a build bundle — standard for this UI component package. | ai | |
| phantom-deps | phantom-dep:@hh.ru/magritte-ui-breakpoint | AI (phantom-deps): Same-org monorepo package; phantom dep likely due to indirect/CSS usage patterns. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal org-scoped UI component library; missing metadata is expected for private/internal packages published publicly. | ai | |
| phantom-deps | phantom-dep:@hh.ru/magritte-design-tokens | AI (phantom-deps): Same-org monorepo package; phantom dep likely due to indirect/CSS usage patterns. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 6.0.11 | 9 / 0 | |
| 6.0.10 | 9 / 0 | |
| 6.0.9 | 9 / 0 | |
| 6.0.8 | 9 / 0 | |
| 6.0.7 | 9 / 0 | |
| 6.0.6 | 9 / 0 | |
| 6.0.5 | 9 / 0 | |
| 6.0.4 | 9 / 0 | |
| 6.0.3 | 9 / 0 | |
| 6.0.2 | 9 / 0 | |
| 6.0.1 | 9 / 0 | |
| 6.0.0 | 9 / 0 | |
| 5.1.8 | 9 / 0 | |
| 5.1.7 | 9 / 0 | |
| 5.1.6 | 9 / 0 | |
| 5.1.5 | 9 / 0 | |
| 5.1.4 | 9 / 0 | |
| 5.1.3 | 9 / 0 | |
| 5.1.2 | 9 / 0 | |
| 5.1.1 | 9 / 0 | |
| 5.1.0 | 9 / 0 | |
| 5.0.36 | 9 / 0 | |
| 5.0.35 | 9 / 0 | |
| 5.0.34 | 9 / 0 | |
| 5.0.33 | 9 / 0 | |
| 5.0.32 | 9 / 0 | |
| 5.0.31 | 9 / 0 | |
| 5.0.30 | 9 / 0 | |
| 5.0.29 | 9 / 0 | |
| 5.0.28 | 9 / 0 | |
| 5.0.27 | 9 / 0 | |
| 5.0.26 | 9 / 0 | |
| 5.0.25 | 9 / 0 | |
| 5.0.24 | 9 / 0 | |
| 5.0.23 | 9 / 0 | |
| 5.0.22 | 9 / 0 | |
| 5.0.21 | 9 / 0 | |
| 5.0.20 | 9 / 0 | |
| 5.0.17 | 9 / 0 |
v6.0.11
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.36
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.35
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.30
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.26
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.23
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.22
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.21
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.