@karmaniverous/jeeves-server
Secure file browser, markdown viewer, and webhook gateway with PDF/DOCX export and expiring share links
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/client/assets/dist-Bhum1fVN.js | AI (source-diff): Standard Vite/Rolldown minified client bundle (CodeMirror/Lezer); not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-BNhDitvH.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-BOeB7NpC.js | AI (source-diff): Standard Vite/Rolldown minified client bundle (HTML/XML parser); not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-BWpIzcK-.js | AI (source-diff): Standard Vite/Rolldown minified client bundle (CodeMirror core); not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-CFhlg0iW.js | AI (source-diff): Standard Vite/Rolldown minified client bundle (SQL/CSS language support); not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-CGmVjpPP.js | AI (source-diff): Standard Vite/Rolldown minified client bundle (style system); not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-CORpuw2V.js | AI (source-diff): Standard Vite/Rolldown minified client bundle (CodeMirror commands); not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-CR-I_L9i.js | AI (source-diff): Standard Vite/Rolldown minified client bundle (Lezer parser); not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-CUARWWK7.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-DP58nQuj.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-DXr9H_CI.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-DyCdF_s2.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-kdbCzTMg.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-McE6hh4E.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-N2RRhqy_.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-uOmIiM1j.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-v4ldl60X.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/dist-zhtf0_E3.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-B_3DMMfP.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/client/assets/theme-CEIf0yXG.js | AI (source-diff): Standard Vite/Rolldown minified client bundle; not malicious. | ai | |
| phantom-deps | phantom-dep:puppeteer | AI (phantom-deps): puppeteer is a runtime dep used indirectly via mermaid-cli/headless rendering; stable false positive. | ai | |
| phantom-deps | phantom-dep:@commander-js/extra-typings | AI (phantom-deps): Type-only augmentation package; not directly imported but used via commander types. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw-IP references are in test files asserting localhost (127.0.0.1) URLs — not production network calls. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall downloads PlantUML JAR via a named script; consistent with documented diagram-rendering functionality. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 3.10.9 | 22 / 18 | |
| 3.10.8 | 23 / 12 | |
| 3.10.7 | 23 / 12 | |
| 3.10.2 | 21 / 13 | |
| 3.9.0 | 21 / 13 | |
| 3.8.5 | 19 / 12 | |
| 3.8.2 | 19 / 12 | |
| 3.8.0 | 19 / 12 | |
| 3.6.3 | 18 / 12 | |
| 3.6.2 | 19 / 12 | |
| 3.6.1 | 19 / 12 | |
| 3.6.0 | 19 / 12 | |
| 3.5.2 | 20 / 12 | |
| 3.5.1 | 21 / 12 |
v3.10.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.8
21 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.7
21 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.2
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.0
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.5
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.2
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.0
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.1
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.0
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.2
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.1
2 findingsScript: node scripts/download-plantuml.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.