@imtbl/checkout-widgets
This internal package is used by the Typescript Checkout SDK package `@imtbl/checkout-sdk`.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/browser/AddTokensWidget-CtgTMQaF.js | AI (source-diff): Standard Rollup minified browser bundle; readable imports and React component code visible in sample. | ai | |
| source-diff | obfuscated-file:dist/browser/WalletWidget-CJ7WYkGs.js | AI (source-diff): Standard Rollup minified browser bundle for the wallet widget. | ai | |
| source-diff | obfuscated-file:dist/browser/WalletApproveHero-CLOuWFdK.js | AI (source-diff): Minified Rollup chunk; consistent with rest of build output. | ai | |
| source-diff | obfuscated-file:dist/browser/SwapWidget-DZX2e6Mw.js | AI (source-diff): Standard Rollup minified browser bundle for the swap widget. | ai | |
| source-diff | obfuscated-file:dist/browser/SpendingCapHero-O4mxTGj9.js | AI (source-diff): Minified Rollup chunk; consistent with rest of build output. | ai | |
| source-diff | obfuscated-file:dist/browser/SaleWidget-CB1VUdA1.js | AI (source-diff): Standard Rollup chunk for the sale widget; readable named imports visible. | ai | |
| source-diff | obfuscated-file:dist/browser/index.umd-DgX1JKmn.js | AI (source-diff): UMD bundle with standard webpack runtime; minified but not obfuscated. | ai | |
| source-diff | net-exec-file:dist/browser/index-Cy6GwrlT.js | AI (source-diff): Network+eval pattern is expected in a blockchain wallet widget SDK bundle. | ai | |
| source-diff | obfuscated-file:dist/browser/index-Cy6GwrlT.js | AI (source-diff): Main bundle entry; sample shows tiny-lru with proper copyright header, standard minified output. | ai | |
| source-diff | obfuscated-file:dist/browser/index-Bo8uSFTf.js | AI (source-diff): Minified LitElement/web-components bundle with BSD license headers; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/browser/BridgeWidget-BMoOgSRy.js | AI (source-diff): Standard Rollup minified browser bundle for the bridge widget. | ai | |
| source-diff | net-exec-file:dist/browser/AddTokensWidget-CtgTMQaF.js | AI (source-diff): Network calls and dynamic code are part of the widget's legitimate blockchain/wallet functionality. | ai | |
| source-diff | net-exec-file:dist/browser/index-DS3fj_2U.js | AI (source-diff): Network+eval pattern expected in a DeFi SDK bundle; sample shows no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/browser/AddTokensWidget-ePA-Ux3z.js | AI (source-diff): Standard Rollup minified browser bundle for a UI widget; readable named imports confirm legitimate code. | ai | |
| source-diff | net-exec-file:dist/browser/AddTokensWidget-ePA-Ux3z.js | AI (source-diff): Network calls and dynamic code are expected in a DeFi checkout widget bundle; no malware indicators in sample. | ai | |
| source-diff | obfuscated-file:dist/browser/BridgeWidget-VFSkqS_b.js | AI (source-diff): Standard Rollup minified bundle; sample shows ethers/axios/React imports consistent with bridge widget functionality. | ai | |
| source-diff | obfuscated-file:dist/browser/index-DrhDFy6x.js | AI (source-diff): Minified LitElement/web-components bundle with BSD-3 license headers; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/browser/index-DS3fj_2U.js | AI (source-diff): Main bundle with readable tiny-lru source and license headers; standard Rollup output. | ai | |
| source-diff | obfuscated-file:dist/browser/index.umd-D7ucnICn.js | AI (source-diff): UMD wrapper with standard webpack-style module loader; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/browser/SaleWidget-CkmaUql5.js | AI (source-diff): Minified sale widget bundle with readable named imports; consistent with normal build output. | ai | |
| source-diff | obfuscated-file:dist/browser/SpendingCapHero-CBY27P8H.js | AI (source-diff): Minified UI component bundle; no malware indicators. | ai | |
| source-diff | obfuscated-file:dist/browser/SwapWidget-CD_lRY1s.js | AI (source-diff): Minified swap widget bundle; consistent with normal Rollup build output. | ai | |
| source-diff | obfuscated-file:dist/browser/WalletApproveHero-DMxR_5Hi.js | AI (source-diff): Minified UI component bundle; no malware indicators. | ai | |
| source-diff | obfuscated-file:dist/browser/WalletWidget-l3UGy8qI.js | AI (source-diff): Minified wallet widget bundle; consistent with normal Rollup build output. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Immutable SDK uses automated CI/CD publishing across many packages simultaneously; rapid publish is expected. | ai | |
| source-diff | obfuscated-file:dist/browser/BridgeWidget-C_5FUiyz.js | AI (source-diff): Standard Rollup minified browser bundle; sample shows named imports from ethers, axios, and internal SDK modules. | ai | |
| source-diff | obfuscated-file:dist/browser/AddTokensWidget-BkxghoC5.js | AI (source-diff): Standard Rollup minified browser bundle for a React widget; named imports from known packages confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/browser/index-D4rlMbOn.js | AI (source-diff): Standard minified bundle; sample shows LitElement/CSS polyfill code with BSD-3-Clause license headers. | ai | |
| source-diff | net-exec-file:dist/browser/AddTokensWidget-BkxghoC5.js | AI (source-diff): Network calls and dynamic code are expected in a checkout widget that fetches token images and executes wallet transactions. | ai | |
| source-diff | obfuscated-file:dist/browser/WalletWidget-B-dLAzFV.js | AI (source-diff): Standard Rollup minified widget bundle; consistent with the package's build pattern. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large number of new files is expected for a checkout widget suite with code-split bundles per widget. | ai | |
| source-diff | obfuscated-file:dist/browser/WalletApproveHero-B9uxUTry.js | AI (source-diff): Standard minified browser bundle for a UI component; consistent with the package's build pattern. | ai | |
| source-diff | obfuscated-file:dist/browser/SwapWidget-CxkInluc.js | AI (source-diff): Standard Rollup minified widget bundle; consistent with the package's build pattern. | ai | |
| source-diff | obfuscated-file:dist/browser/SpendingCapHero-Da1T0fOL.js | AI (source-diff): Standard minified browser bundle for a UI component; consistent with the package's build pattern. | ai | |
| source-diff | obfuscated-file:dist/browser/SaleWidget-DfCZhC8p.js | AI (source-diff): Standard Rollup minified widget bundle; named imports from internal SDK modules confirm legitimate build. | ai | |
| source-diff | obfuscated-file:dist/browser/index.umd-BVdfGwyY.js | AI (source-diff): UMD bundle with standard webpack runtime; fetch polyfill pattern is expected for browser compatibility. | ai | |
| source-diff | net-exec-file:dist/browser/index-Dd_Z4Frg.js | AI (source-diff): Network + dynamic code expected in a wallet/checkout SDK bundle; no malicious payload indicators in sample. | ai | |
| source-diff | obfuscated-file:dist/browser/index-Dd_Z4Frg.js | AI (source-diff): Main bundle; sample shows tiny-lru with BSD-3-Clause license header — legitimate bundled dependency. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): pino-pretty declared as runtime dep for logging; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): pako is a declared runtime dep used in build/config context; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 2.20.0 | 28 / 31 | |
| 2.19.0 | 28 / 31 | |
| 2.18.0 | 28 / 31 | |
| 2.17.1 | 28 / 31 | |
| 2.17.0 | 28 / 31 | |
| 2.16.0 | 28 / 31 | |
| 2.15.0 | 28 / 31 |
v2.20.0
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.19.0
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.18.0
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.17.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.