@likec4/core — Greenflagged

A core package for LikeC4, containing types, api, utilities and guards.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

davydkov

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/shared/core.Ddua-wiI.d.mts	AI (source-diff): Bundled TypeScript declaration file; long lines are from type exports, not obfuscation.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.RnUJywKk.mjs	AI (source-diff): Standard minified ESM build chunk from unbuild; pattern is stable across all versions of this package.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.Bpou6c2f.d.mts	AI (source-diff): TypeScript declaration file with long import lines from bundler; not obfuscated.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.D-ZGWDDt.d.mts	AI (source-diff): TypeScript declaration file with long import lines from bundler; not obfuscated.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.aWJgARyY.d.mts	AI (source-diff): Bundled TypeScript declaration file with long import lines; not obfuscated.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.B65NlqR_.d.mts	AI (source-diff): TypeScript declaration file with long import lines from bundler; not obfuscated.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.BB6zA-UU.mjs	AI (source-diff): Standard unbuild/rollup bundle chunk; samples show readable library code, not obfuscation.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.D0NziuvN.mjs	AI (source-diff): Standard bundler chunk output with hash-named files; readable imports and known library code visible in sample.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.DxDn5nB5.d.mts	AI (source-diff): TypeScript declaration file with long lines from complex generics; not obfuscated.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.HUONfQfd.mjs	AI (source-diff): Bundler-generated chunk; sample shows normal CJS-interop helper code.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.BlwZ4tBa.mjs	AI (source-diff): Bundler-generated chunk with hash suffix; content is readable ESM, not obfuscated.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.DFi2dOTl.mjs	AI (source-diff): Rollup/Vite chunk output with readable code; minification is expected for this bundled library.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.C8YY6Uub.mjs	AI (source-diff): Rollup/Vite chunk output with readable code; minification is expected for this bundled library.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.DDynPqbh.mjs	AI (source-diff): Standard Rollup/unbuild chunk output; long lines are minified but readable JS, no encoded payloads.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.1pNeDdRk.d.mts	AI (source-diff): TypeScript declaration file with long lines from bundled type exports; not obfuscated.	ai	2026/05/12
phantom-deps	phantom-dep:rehype-format	AI (phantom-deps): rehype-format is a declared runtime dep used transitively in the unified pipeline; phantom-dep heuristic false positive.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.IWLie-Ma.d.mts	AI (source-diff): Bundled TypeScript declaration file with long lines; normal for generated .d.mts output from unbuild.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.PqNe5WxQ.mjs	AI (source-diff): Standard rollup/unbuild chunk output with hash in filename; not obfuscated, just minified bundler output.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.CtKXPqN_.mjs	AI (source-diff): Standard rollup/unbuild chunk output with hash in filename; not obfuscated, just minified bundler output.	ai	2026/05/12
source-diff	obfuscated-file:dist/shared/core.btEq3i3f.mjs	AI (source-diff): Long lines are minified bundle output (readable library code); not obfuscation. Stable pattern for this package's dist artifacts.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/geometry.mjs	AI (source-diff): Minified geometry utility code; no malicious indicators.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/manual-layout.mjs	AI (source-diff): Minified internal layout module; no malicious indicators.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/model.mjs	AI (source-diff): Minified internal model module; no malicious indicators.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/types.mjs	AI (source-diff): Minified internal types module; no malicious indicators.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/unified.mjs	AI (source-diff): Minified unified lib; legitimate remark/rehype ecosystem.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/mnemonist.mjs	AI (source-diff): Bundled mnemonist library; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/Builder.view-element.mjs	AI (source-diff): Standard rolldown/bundler minified output; not obfuscated malware.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/calcDriftsFromSnapshot.mjs	AI (source-diff): Standard bundler minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/character-entities.mjs	AI (source-diff): HTML character entity table — minified data file, not obfuscated code.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/@mantine/colors-generator.mjs	AI (source-diff): Bundled @mantine/colors-generator library; minified, not malicious.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/@radix-ui/colors.mjs	AI (source-diff): Bundled @radix-ui/colors data; minified color palette, not malicious.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/graphology-dag.mjs	AI (source-diff): Bundled graphology-dag library; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/graphology.mjs	AI (source-diff): Bundled graphology library; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/guards.mjs	AI (source-diff): Package's own bundled guards module; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/hast-util-sanitize.mjs	AI (source-diff): Bundled hast-util-sanitize; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/hast-util-to-html.mjs	AI (source-diff): Bundled hast-util-to-html; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/mdast-util-find-and-replace.mjs	AI (source-diff): Bundled mdast utility; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/mdast-util-from-markdown.mjs	AI (source-diff): Bundled mdast utility; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/mdast-util-gfm.mjs	AI (source-diff): Bundled mdast utility; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/mdast-util-to-hast.mjs	AI (source-diff): Bundled mdast utility; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/micromark-extension-gfm.mjs	AI (source-diff): Bundled micromark extension; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/ohash.mjs	AI (source-diff): Bundled ohash library; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/libs/remeda.mjs	AI (source-diff): Bundled remeda utility library; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/RichText.mjs	AI (source-diff): Package's own bundled module; standard minified output.	ai	2026/05/06
source-diff	obfuscated-file:dist/_chunks/to-text.mjs	AI (source-diff): Package's own bundled module; standard minified output.	ai	2026/05/06
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing is confirmed by SLSA provenance attestation; stable pattern for this package going forward.	ai	2026/05/06
typosquat	typosquat.levenshtein:cors	AI (typosquat): @likec4/core is a scoped package in the likec4 ecosystem, not a typosquat of cors; edit-distance match is coincidental.	ai	2026/04/30
phantom-deps	phantom-dep:immer	AI (phantom-deps): Declared in config files; stable false positive for this package.	ai	2026/04/30
phantom-deps	phantom-dep:zod	AI (phantom-deps): Declared in config files; stable false positive for this package.	ai	2026/04/30

Versions (showing 40 of 40)

Version	Deps	Published
1.58.0	3 / 42	2026-06-05
1.57.0	3 / 42	2026-05-22
1.56.0	3 / 42	2026-04-28
1.55.1	3 / 42	2026-04-15
1.55.0	3 / 42	2026-04-13
1.54.0	3 / 42	2026-04-07
1.53.0	3 / 42	2026-03-20
1.51.0	3 / 42	2026-03-04
1.50.0	3 / 42	2026-02-21
1.49.0	3 / 42	2026-02-13
1.48.0	4 / 40	2026-01-27
1.47.0	1 / 40	2026-01-04
1.46.4	1 / 39	2025-12-20
1.46.3	1 / 39	2025-12-19
1.46.2	1 / 39	2025-12-18
1.46.0	1 / 39	2025-12-09
1.45.0	1 / 39	2025-11-23
1.44.0	1 / 39	2025-11-10
1.43.0	1 / 38	2025-10-25
1.42.1	1 / 38	2025-10-07
1.42.0	1 / 38	2025-09-30
1.41.0	15 / 22	2025-09-16
1.40.0	15 / 22	2025-09-14
1.39.5	15 / 22	2025-09-11
1.39.4	15 / 22	2025-09-10
1.39.3	15 / 22	2025-09-09
1.39.2	15 / 22	2025-09-08
1.39.1	15 / 22	2025-09-06
1.39.0	15 / 22	2025-09-05
1.36.1	13 / 24	2025-08-08
1.36.0	13 / 24	2025-08-08
1.35.0	11 / 26	2025-08-02
1.34.2	11 / 25	2025-07-01
1.34.1	11 / 25	2025-07-01
1.34.0	11 / 25	2025-07-01
1.33.0	11 / 25	2025-06-25
1.32.2	1 / 20	2025-06-16
1.32.1	1 / 20	2025-06-12
1.32.0	1 / 20	2025-06-10
1.31.0	1 / 20	2025-05-25

v1.58.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.57.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.56.0

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@likec4/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.55.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.55.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.54.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.53.0

24 findings

HIGH Publisher changed: davydkov → GitHub Actions (on 2026-03-20) provenance

This version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/_chunks/Builder.view-element.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/character-entities.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/@mantine/colors-generator.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/@radix-ui/colors.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/geometry.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/graphology-dag.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/graphology.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/hast-util-sanitize.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/hast-util-to-html.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/manual-layout.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/mdast-util-from-markdown.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/mdast-util-gfm.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/mdast-util-to-hast.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/micromark-extension-gfm.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/mnemonist.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/model.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/ohash.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/remeda.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/types.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/libs/unified.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/utils.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/_chunks/index.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.51.0

24 findings

HIGH Publisher changed: davydkov → GitHub Actions (on 2026-03-04) provenance

This version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.