@mermaid-js/layout-elk
ELK layout engine for mermaid
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-YC4RRCU7.mjs | AI (source-diff): Readable Vite/Rollup bundle of elkjs with source path comments intact — standard build output. SLSA provenance attestation confirms CI/CD origin. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-GJFLM4CZ.mjs | AI (source-diff): Minified ESM bundle of elkjs dependency — standard build artifact for @mermaid-js/layout-elk. SLSA provenance attestation confirms CI/CD origin. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-EBL3GIZP.mjs | AI (source-diff): This is a bundled elkjs (declared dependency) build artifact produced by Vite/Rollup. Long lines are standard bundler output, not obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-R5FIDKA7.mjs | AI (source-diff): Minified variant of the same elkjs bundle. Standard build artifact from a declared dependency. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-2PF4B34Z.mjs | AI (source-diff): This is a legitimate minified bundle of the elkjs library, a declared dependency. The mermaid-js org routinely ships bundled dist artifacts; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-LWFKM4MT.mjs | AI (source-diff): Minified ESM bundle of elkjs — standard build output for this official mermaid-js layout package. SLSA provenance attestation confirms CI/CD origin. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-3NUKSE6Y.mjs | AI (source-diff): Minified build artifact of elkjs (declared dependency). SLSA provenance confirmed. Long lines are from minification, not obfuscation. No malicious patterns present. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-54EMX422.mjs | AI (source-diff): Readable bundled [email protected] library (declared dependency), wrapped in ESM shim. Source path comment confirms provenance. SLSA attestation present. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-GEXMNTHA.mjs | AI (source-diff): This is the non-minified ESM bundle of [email protected], explicitly labeled in the source comment. Standard build artifact for this package; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-27CJXKCY.mjs | AI (source-diff): This is the minified ESM build of the elkjs bundled library — standard build output for @mermaid-js/layout-elk. Not obfuscation; long lines are from minification of a known open-source dependency. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-AVRWSH4D.mjs | AI (source-diff): Standard minified build artifact bundling elkjs; source maps included, SLSA provenance confirmed, no obfuscation techniques present. Expected output for this package's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-DDG7AVDI.mjs | AI (source-diff): Readable ESM bundle of elkjs with clear source comments; standard Vite/Rollup build output. Source maps included, SLSA provenance confirmed. Not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-DDKIELPE.mjs | AI (source-diff): Minified ESM build of elkjs bundled library; long lines are from minification, not obfuscation. SLSA provenance and official mermaid-js publisher confirm legitimacy. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-P27B6YR6.mjs | AI (source-diff): Readable ESM bundle of [email protected]; triggered on line length only. No actual obfuscation. Official @mermaid-js package with SLSA provenance. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-W5C4KMPG.mjs | AI (source-diff): This is a legitimate Vite/Rollup bundle of elkjs (a declared dependency). Long lines are minified output, not obfuscation. SLSA provenance confirms CI/CD build origin. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-YY74OMMT.mjs | AI (source-diff): Minified variant of the same elkjs bundle. Standard build artifact from the official mermaid-js org with SLSA provenance attestation. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm/render-BHGI7IPK.mjs | AI (source-diff): File is a standard minified bundle of [email protected] — a well-known ELK layout library. Long lines are expected minification, not malicious obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from sidv (Sidharth Vinod, listed contributor) to GitHub Actions CI publishing is a legitimate CI/CD migration, confirmed by SLSA provenance attestation. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by CI/CD migration is plausible; SLSA attestation confirms legitimate provenance from the official mermaid-js repo. | ai | |
| source-diff | obfuscated-file:dist/chunks/mermaid-layout-elk.esm.min/render-T6MDALS3.mjs | AI (source-diff): File is the minified ESM variant of the elkjs bundle. Standard build artifact for this layout engine package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.2.1 | 2 / 2 | |
| 0.2.0 | 2 / 2 | |
| 0.1.9 | 2 / 2 | |
| 0.1.8 | 2 / 2 | |
| 0.1.7 | 2 / 2 | |
| 0.1.6 | 2 / 2 | |
| 0.1.5 | 2 / 2 | |
| 0.1.4 | 2 / 2 | |
| 0.1.3 | 2 / 2 | |
| 0.1.2 | 2 / 2 | |
| 0.1.1 | 2 / 2 | |
| 0.1.0 | 2 / 2 |
v0.2.1
4 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.