@jx3box/jx3box-editor — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rx6x3zvawqkaviilee

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from human publisher to GitHub Actions CI/CD with SLSA provenance; legitimate automation.	ai	2026/05/29
source-diff	net-exec-file:src/assets/js/tex-mml-chtml.js	AI (source-diff): MathJax bundle legitimately loads fonts/resources at runtime; not a dropper pattern.	ai	2026/05/26
source-diff	obfuscated-file:src/assets/js/tex-mml-chtml.js	AI (source-diff): tex-mml-chtml.js is the standard MathJax webpack bundle; minification is expected and benign for this package.	ai	2026/05/26
dependencies	unvetted-dep:vue-contextmenujs	AI (dependencies): Pre-existing dep in this package; stable across versions.	ai	2026/05/21
dependencies	unvetted-dep:@jx3box/markdown	AI (dependencies): Same org scope (@jx3box); pre-existing dep, stable across versions.	ai	2026/05/21
dependencies	unvetted-dep:csslab	AI (dependencies): Pre-existing dep in this package; stable across versions.	ai	2026/05/21
dependencies	unvetted-dep:vue-gallery-slideshow	AI (dependencies): Pre-existing dep in this package; stable across versions.	ai	2026/05/21
dependencies	unvetted-dep:vue-photoswipe.js	AI (dependencies): Pre-existing dep in this package; stable across versions.	ai	2026/05/21
publish-pattern	dormant-publish	AI (publish-pattern): Established org package with 290 versions and clean publisher history; dormancy is not indicative of takeover given no code changes.	ai	2026/05/08
dependencies	unvetted-dep:hevue-img-preview	AI (dependencies): Image preview UI component; benign for an editor package.	ai	2026/05/07
dependencies	unvetted-dep:vue-plugin-load-script	AI (dependencies): Small Vue utility for dynamic script loading; consistent with TinyMCE integration pattern here.	ai	2026/05/07
dependencies	unvetted-dep:vditor	AI (dependencies): vditor is a well-known Markdown editor library; consistent with this editor package's purpose.	ai	2026/05/07
phantom-deps	phantom-dep:prismjs	AI (phantom-deps): Syntax highlighting loaded via config in editor context; not directly imported.	ai	2026/05/07
phantom-deps	phantom-dep:vue	AI (phantom-deps): Vue is a peer/config dependency for a Vue component library; not directly imported by design.	ai	2026/05/07
phantom-deps	phantom-dep:csslab	AI (phantom-deps): CSS utility used via config/build pipeline, not direct import; stable pattern for this package.	ai	2026/05/07
phantom-deps	phantom-dep:core-js	AI (phantom-deps): Known implicit polyfill dependency; standard for Vue CLI projects.	ai	2026/05/07
phantom-deps	phantom-dep:element-ui	AI (phantom-deps): UI framework used as peer/config dep in Vue CLI project; stable pattern.	ai	2026/05/07
phantom-deps	phantom-dep:@jx3box/markdown	AI (phantom-deps): Same-org dep used via config; stable pattern for this package.	ai	2026/05/07
phantom-deps	phantom-dep:vue-contextmenujs	AI (phantom-deps): Vue plugin loaded via config; not directly imported by design.	ai	2026/05/07
phantom-deps	phantom-dep:vue-photoswipe.js	AI (phantom-deps): Vue plugin loaded via config; not directly imported by design.	ai	2026/05/07
phantom-deps	phantom-dep:vue-gallery-slideshow	AI (phantom-deps): Vue plugin loaded via config; not directly imported by design.	ai	2026/05/07
provenance	no-provenance	AI (provenance): Established org package; lack of Sigstore provenance is common and not a disqualifier here.	ai	2026/05/07
phantom-deps	phantom-dep:lodash	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:dayjs	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:uuid	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:@jx3box/jx3box-emotion	AI (phantom-deps): Same org scope; stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@tinymce/tinymce-vue	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:github-markdown-css	AI (phantom-deps): Component library pattern; CSS dep referenced in config, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:vue-plugin-load-script	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:@imengyu/vue3-context-menu	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:@jx3box/jx3box-data	AI (phantom-deps): Same org scope; stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:hevue-img-preview	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:vuedraggable	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:xss	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:sortablejs	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:vditor	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02
phantom-deps	phantom-dep:lucide	AI (phantom-deps): Component library pattern; deps used via config/re-export, not direct import.	ai	2026/05/02

Versions (showing 28 of 28)

Version	Deps	Published
3.2.2	30 / 32	2026-05-13
3.2.1	30 / 32	2026-05-01
3.2.0	30 / 32	2026-05-01
3.1.5	30 / 32	2026-04-22
3.1.4	30 / 32	2026-04-16
3.1.3	30 / 32	2026-04-08
3.1.2	30 / 32	2026-04-08
3.1.1	30 / 32	2026-04-07
3.1.0	30 / 32	2026-04-07
3.0.13	30 / 32	2026-05-01
3.0.12	30 / 32	2026-04-29
3.0.11	30 / 32	2026-04-06
3.0.10	30 / 32	2026-04-04
3.0.9	30 / 32	2026-03-25
3.0.8	30 / 29	2026-03-18
3.0.7	30 / 29	2026-03-13
3.0.6	30 / 29	2026-03-13
3.0.4	30 / 29	2026-03-13
3.0.3	30 / 29	2026-03-13
3.0.2	29 / 29	2026-03-13
3.0.1	29 / 29	2026-03-12
3.0.0	29 / 29	2026-03-12
2.2.48	32 / 15	2026-03-02
2.2.47	32 / 15	2026-01-21
2.2.46	32 / 15	2026-01-20
2.2.45	32 / 15	2026-01-19
2.2.44	30 / 15	2026-01-14
2.2.43	30 / 15	2026-01-12

v3.2.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.5

2 findings

HIGH Publisher changed: rx6 → GitHub Actions (on 2026-04-22) provenance

This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.4

2 findings

HIGH Publisher changed: rx6 → GitHub Actions (on 2026-04-16) provenance

This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.12

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.4

3 findings

HIGH New obfuscated file: src/assets/js/tex-mml-chtml.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: src/assets/js/tex-mml-chtml.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

3 findings

HIGH New obfuscated file: src/assets/js/tex-mml-chtml.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: src/assets/js/tex-mml-chtml.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

3 findings

HIGH New obfuscated file: src/assets/js/tex-mml-chtml.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: src/assets/js/tex-mml-chtml.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

3 findings

HIGH New obfuscated file: src/assets/js/tex-mml-chtml.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: src/assets/js/tex-mml-chtml.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

3 findings

HIGH New obfuscated file: src/assets/js/tex-mml-chtml.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: src/assets/js/tex-mml-chtml.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.48

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.47

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.46

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.45

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.44

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.43

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.