@lm_fe/components_m — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

noah1999

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/a_chunks/modals.entries.子痫前期风险评估表.js	AI (source-diff): Standard Rollup/Babel minified output; imports are legible and reference known packages only.	ai	2026/05/10
source-diff	obfuscated-file:dist/a_chunks/modals.entries.预警提醒_高危快讯.js	AI (source-diff): Standard Rollup/Babel minified output; imports are legible and reference known packages only.	ai	2026/05/10
source-diff	obfuscated-file:dist/a_chunks/modals.entries.高危因素管理.js	AI (source-diff): Standard Rollup/Babel minified output; imports are legible and reference known packages only.	ai	2026/05/10
source-diff	obfuscated-file:dist/a_chunks/components_m.src.MyForm.js	AI (source-diff): File is Babel-transpiled output with readable helper imports, not obfuscated; expected for this rollup-built component library.	ai	2026/05/03
dependencies	unvetted-dep:@lm_fe/provoke	AI (dependencies): Same org scope as this package; consistent with internal monorepo dependency.	ai	2026/05/03
provenance	no-provenance	AI (provenance): Internal org package; no provenance is consistent with all prior versions in this scope.	ai	2026/04/29
phantom-deps	phantom-dep:@lm_fe/scripts	AI (phantom-deps): Same-org build tooling dep; phantom detection is a stable false positive here.	ai	2026/04/29
phantom-deps	phantom-dep:quill	AI (phantom-deps): quill is a peer/config-level dep for react-quill; not directly imported is expected.	ai	2026/04/29
phantom-deps	phantom-dep:echarts	AI (phantom-deps): echarts referenced in config/wrapper pattern; stable false positive for this component library.	ai	2026/04/29
phantom-deps	phantom-dep:history	AI (phantom-deps): history is a peer dep for routing; not directly imported is expected in a component library.	ai	2026/04/29
phantom-deps	phantom-dep:qrcode.react	AI (phantom-deps): Component library wrapping qrcode.react; config-level reference is expected pattern.	ai	2026/04/29

Versions (showing 11 of 11)

Version	Deps	Published
0.2.12	6 / 7	2026-04-30
0.2.11	6 / 7	2026-04-13
0.2.10	6 / 7	2026-03-05
0.2.8	6 / 7	2026-01-14
0.2.7	6 / 7	2026-01-14
0.2.6	6 / 7	2025-12-28
0.2.5	6 / 7	2025-12-28
0.2.2	6 / 7	2025-12-10
0.1.211	15 / 4	2026-04-21
0.1.210	15 / 4	2026-04-14
0.1.209	15 / 4	2026-04-13

v0.2.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.6

2 findings

HIGH New obfuscated file: dist/a_chunks/components_m.src.MyForm.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.210

4 findings

HIGH New obfuscated file: dist/a_chunks/modals.entries.子痫前期风险评估表.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/a_chunks/modals.entries.预警提醒_高危快讯.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/a_chunks/modals.entries.高危因素管理.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.209

4 findings

HIGH New obfuscated file: dist/a_chunks/modals.entries.子痫前期风险评估表.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/a_chunks/modals.entries.预警提醒_高危快讯.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/a_chunks/modals.entries.高危因素管理.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.