@kitschpatrol/tldraw-cli
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/tldraw/assets/index-B4XJvc_k.js | AI (source-diff): Vite-bundled tldraw+React app asset; minification is expected for this package's embedded browser renderer. | ai | |
| source-diff | net-exec-file:dist/tldraw/assets/index-B4XJvc_k.js | AI (source-diff): Network calls are fetch() for modulepreload; dynamic execution is React's standard runtime — not dropper behavior. | ai | |
| phantom-deps | phantom-dep:plur | AI (phantom-deps): CLI tool uses plur dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): CLI tool uses yargs dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): CLI tool uses nanoid dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:cheerio | AI (phantom-deps): CLI tool uses cheerio dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:get-port | AI (phantom-deps): CLI tool uses get-port dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:path-type | AI (phantom-deps): CLI tool uses path-type dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pretty-ms | AI (phantom-deps): CLI tool uses pretty-ms dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:hono | AI (phantom-deps): CLI tool uses hono dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:untildify | AI (phantom-deps): CLI tool uses untildify dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:picocolors | AI (phantom-deps): CLI tool uses picocolors dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:natural-orderby | AI (phantom-deps): CLI tool uses natural-orderby dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@hono/node-server | AI (phantom-deps): CLI tool uses @hono/node-server dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:uint8array-extras | AI (phantom-deps): CLI tool uses uint8array-extras dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@sindresorhus/slugify | AI (phantom-deps): CLI tool uses @sindresorhus/slugify dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:puppeteer | AI (phantom-deps): CLI tool uses puppeteer dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): CLI tool uses open dynamically; stable false positive for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 6.0.0 | 16 / 27 | |
| 5.0.16 | 17 / 27 | |
| 5.0.15 | 17 / 26 | |
| 5.0.14 | 17 / 26 |
v6.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.