@kosdev-code/kos-dispense-sdk
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:pump-provider-DgkR1iwg.cjs | AI (source-diff): Standard bundler minification output; content is readable SDK domain logic, not obfuscation. | ai | |
| source-diff | obfuscated-file:pump-provider-DMGN5lvz.cjs | AI (source-diff): Standard Rollup/Vite minified CJS bundle output; readable domain logic visible in sample. | ai | |
| source-diff | obfuscated-file:extension-utils-lo_uDdh9.cjs | AI (source-diff): Standard Rollup/Vite minified CJS bundle output; readable domain logic visible in sample. | ai | |
| source-diff | obfuscated-file:dispense-registration-manager-BXNJ1hUZ.cjs | AI (source-diff): Standard Rollup/Vite minified CJS bundle output; readable domain logic visible in sample. | ai | |
| source-diff | obfuscated-file:extension-utils-CAqmOmVh.cjs | AI (source-diff): Standard Vite/Rollup minified CJS bundle output; code samples show legitimate React/KOS SDK patterns, no malicious indicators. | ai | |
| source-diff | obfuscated-file:pump-provider-C-6CuGgY.cjs | AI (source-diff): Standard Vite/Rollup minified CJS bundle output; code samples show legitimate React/KOS SDK patterns, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dispense-registration-manager-DK1ePXkY.cjs | AI (source-diff): Standard Vite/Rollup minified CJS bundle output; code samples show legitimate React/KOS SDK patterns, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dispense-registration-manager-DauhdXxX.cjs | AI (source-diff): Standard Rollup/Vite minified bundle with accompanying source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:extension-utils-BcdtSKJM.cjs | AI (source-diff): Standard Rollup/Vite minified bundle with accompanying source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:control-pour-extension-DGztqLxi.cjs | AI (source-diff): Standard Rollup/Vite minified bundle with accompanying source maps; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dispense-registration-manager-BZeOXyYn.cjs | AI (source-diff): Standard Rollup/Vite CJS bundle with source maps; code is minified SDK logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:extension-utils-DcOOx69a.cjs | AI (source-diff): Standard Rollup/Vite CJS bundle; code shows legitimate React hook patterns referencing internal SDK modules. | ai | |
| source-diff | obfuscated-file:pump-provider-5w04Zi8j.cjs | AI (source-diff): Standard Rollup/Vite CJS bundle; code shows React context/provider patterns for pump/nozzle models. | ai | |
| source-diff | obfuscated-file:pump-provider-DzxdPW8o.cjs | AI (source-diff): Standard Rollup/Vite CJS bundle output; content is readable domain logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:pump-provider-FN_syY4x.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output with source maps; readable React/KOS SDK patterns in sample. | ai | |
| source-diff | obfuscated-file:extension-utils-CScCluY5.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; re-exports from sibling bundle, no obfuscation indicators. | ai | |
| source-diff | obfuscated-file:dispense-registration-manager-CjKpNrUy.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output with source maps; readable domain logic visible in sample. | ai | |
| source-diff | obfuscated-file:pump-provider-2GNw1Ct_.cjs | AI (source-diff): Standard minified CJS bundle output for this SDK; consistent pattern across all versions. | ai | |
| source-diff | obfuscated-file:extension-utils-DiqbAS68.cjs | AI (source-diff): Standard minified CJS bundle output for this SDK; consistent pattern across all versions. | ai | |
| source-diff | obfuscated-file:dispense-registration-manager-DRFXN5Fe.cjs | AI (source-diff): Standard minified CJS bundle output for this SDK; consistent pattern across all versions. | ai | |
| source-diff | obfuscated-file:dispense-registration-manager-CcV-anPv.cjs | AI (source-diff): Standard Rollup/Vite minified bundle output; consistent with SDK build pattern across all versions. | ai | |
| source-diff | obfuscated-file:pump-provider-CyLiBpMN.cjs | AI (source-diff): Standard Rollup/Vite minified bundle output; consistent with SDK build pattern across all versions. | ai | |
| source-diff | obfuscated-file:extension-utils-BMU452cN.cjs | AI (source-diff): Standard Rollup/Vite minified bundle output; consistent with SDK build pattern across all versions. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package (172 versions, 395 days) under a consistent scoped namespace; missing description is a style issue, not a malice indicator. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is 395 days old with 172 versions and consistent @kosdev-code scoped branding. Missing metadata reflects a private/commercial SDK pattern, not spam or malicious intent. | ai |
Versions (showing 50 of 50)
| Version | Deps | Published |
|---|---|---|
| 3.0.4 | 2 / 0 | |
| 3.0.3 | 2 / 0 | |
| 3.0.2 | 2 / 0 | |
| 3.0.1 | 2 / 0 | |
| 3.0.0 | 2 / 0 | |
| 2.1.40 | 2 / 0 | |
| 2.1.39 | 2 / 0 | |
| 2.1.38 | 2 / 0 | |
| 2.1.35 | 1 / 0 | |
| 2.1.34 | 1 / 0 | |
| 2.1.33 | 1 / 0 | |
| 2.1.32 | 1 / 0 | |
| 2.1.31 | 1 / 0 | |
| 2.1.30 | 1 / 0 | |
| 2.1.29 | 1 / 0 | |
| 2.1.28 | 1 / 0 | |
| 2.1.27 | 1 / 0 | |
| 2.1.26 | 1 / 0 | |
| 2.1.25 | 1 / 0 | |
| 2.1.23 | 1 / 0 | |
| 2.1.4 | 1 / 0 | |
| 2.1.3 | 1 / 0 | |
| 2.1.2 | 1 / 0 | |
| 2.1.1 | 1 / 0 | |
| 2.1.0 | 1 / 0 | |
| 2.0.46 | 1 / 0 | |
| 2.0.45 | 2 / 0 | |
| 2.0.44 | 1 / 0 | |
| 2.0.43 | 1 / 0 | |
| 2.0.40 | 1 / 0 | |
| 2.0.39 | 1 / 0 | |
| 2.0.38 | 1 / 0 | |
| 2.0.31 | 1 / 0 | |
| 2.0.30 | 1 / 0 | |
| 2.0.29 | 1 / 0 | |
| 2.0.28 | 1 / 0 | |
| 2.0.27 | 1 / 0 | |
| 2.0.26 | 1 / 0 | |
| 2.0.22 | 1 / 0 | |
| 2.0.20 | 1 / 0 | |
| 2.0.17 | 1 / 0 | |
| 2.0.16 | 1 / 0 | |
| 2.0.12 | 1 / 0 | |
| 2.0.11 | 1 / 0 | |
| 2.0.10 | 1 / 0 | |
| 2.0.9 | 1 / 0 | |
| 2.0.8 | 1 / 0 | |
| 2.0.7 | 1 / 0 | |
| 2.0.6 | 1 / 0 | |
| 2.0.5 | 1 / 0 |
v3.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.39
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.35
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.34
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.46
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.44
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.43
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.39
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.31
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.22
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.20
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.17
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.16
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.12
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.11
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.10
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.9
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.