@hh.ru/magritte-ui-typography
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:base-text-C7Iyq9j1.js | AI (source-diff): CSS modules class-name map; standard build artifact for this UI component library, not obfuscation. | ai | |
| source-diff | obfuscated-file:base-text-Q7c7fSSJ.js | AI (source-diff): CSS-modules classname map bundled as JS; standard build output for this UI component library. | ai | |
| source-diff | obfuscated-file:base-text-CedfSDoj.js | AI (source-diff): CSS modules classname map bundled as minified JS; standard build output for this UI component library. | ai | |
| source-diff | obfuscated-file:base-text-BraJWgEx.js | AI (source-diff): CSS modules class-name map; long lines are expected build output for this UI library. | ai | |
| source-diff | obfuscated-file:base-text-BmuZnE87.js | AI (source-diff): Long lines are CSS-modules class name maps from the build process; not obfuscation. Stable pattern for this UI component package. | ai | |
| source-diff | obfuscated-file:base-text-BcvKjDT2.js | AI (source-diff): Long lines are CSS modules class-name maps from the build process; stable false positive for this UI component package. | ai | |
| source-diff | obfuscated-file:base-text-DyY9Ore6.js | AI (source-diff): Long-line file is a CSS-modules class-name map bundled by the build toolchain; stable false positive for this UI library. | ai | |
| source-diff | obfuscated-file:base-text-1SeyjaEO.js | AI (source-diff): CSS-modules classname map bundled as minified JS; standard build output for this UI component library. | ai | |
| source-diff | obfuscated-file:base-text-CBfMmfzp.js | AI (source-diff): Long lines are CSS-module class-name maps generated at build time; not obfuscation. | ai | |
| source-diff | obfuscated-file:base-text-BZjnriwM.js | AI (source-diff): CSS-modules classname map bundled as minified JS; standard build output for this UI component library. | ai | |
| source-diff | obfuscated-file:base-text-E6AvREQQ.js | AI (source-diff): File is a CSS-modules class-name map (minified JSON-like object); standard build output for this UI library. | ai | |
| source-diff | obfuscated-file:base-text-C756_PdJ.js | AI (source-diff): CSS modules classname map in bundled UI component output; not obfuscation. | ai | |
| source-diff | obfuscated-file:base-text-CdnQ_J6T.js | AI (source-diff): Long lines are CSS-module class-name maps, not obfuscated code; stable pattern for this UI component package. | ai | |
| source-diff | obfuscated-file:base-text-IUZ8Oco2.js | AI (source-diff): File is a CSS-modules class-name map bundled as minified JS — standard build output for this UI library. | ai | |
| source-diff | obfuscated-file:base-text-CJqYNbQq.js | AI (source-diff): Long-line file is a bundler-generated CSS module map, not obfuscated malware; stable pattern for this UI library. | ai | |
| source-diff | obfuscated-file:base-text-AidlaekX.js | AI (source-diff): Long lines are CSS-modules class-name maps from standard bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:base-text-k1NX3O4V.js | AI (source-diff): Long-line file is a CSS modules class-name map (build artifact), not obfuscated malicious code; stable pattern for this UI library. | ai | |
| source-diff | obfuscated-file:base-text-BXaOItcR.js | AI (source-diff): File is a CSS-modules class-name map (minified JSON-like object); not executable obfuscation. Stable pattern for this UI library. | ai | |
| source-diff | obfuscated-file:base-text-6IHG1mkh.js | AI (source-diff): Long lines are CSS-module class-name maps from the build process; stable pattern for this UI component package. | ai | |
| source-diff | obfuscated-file:base-text-CTrdKIko.js | AI (source-diff): File is a standard CSS-modules/bundler output with hashed class names; not obfuscation. | ai | |
| source-diff | obfuscated-file:base-text-BxGPDO9Y.js | AI (source-diff): Long-line content is a CSS Modules class-name map generated by the build; not obfuscation. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@hh.ru/magritte-design-tokens | AI (phantom-deps): Same-org design-tokens dep; phantom-dep heuristic fires on indirect/peer usage common in monorepo component packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo UI component; missing metadata is a publishing style choice, not a spam/malware indicator. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 5.3.3 | 5 / 0 | |
| 5.3.2 | 5 / 0 | |
| 5.3.1 | 4 / 0 | |
| 5.3.0 | 4 / 0 | |
| 5.2.0 | 4 / 0 | |
| 5.1.0 | 4 / 0 | |
| 5.0.1 | 4 / 0 | |
| 5.0.0 | 4 / 0 | |
| 4.5.4 | 4 / 0 | |
| 4.5.3 | 4 / 0 | |
| 4.5.2 | 4 / 0 | |
| 4.5.1 | 4 / 0 | |
| 4.5.0 | 4 / 0 | |
| 4.4.4 | 4 / 0 | |
| 4.4.3 | 4 / 0 | |
| 4.4.2 | 4 / 0 | |
| 4.4.1 | 4 / 0 | |
| 4.4.0 | 4 / 0 | |
| 4.3.5 | 4 / 0 | |
| 4.3.4 | 4 / 0 | |
| 4.3.3 | 4 / 0 | |
| 4.3.2 | 4 / 0 | |
| 4.3.1 | 4 / 0 | |
| 4.3.0 | 4 / 0 |
v5.3.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.