@microsoft/sp-webpart-base

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

microsoft1esmicrosoft-oss-releasesodspnpm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/sp-webpart-base_default_fc7ac4f07220c58b8441.js	AI (source-diff): Standard minified SPFx AMD bundle; readable feature-flag logic, not obfuscation.	ai	2026/05/13
source-diff	net-exec-file:dist/sp-webpart-base_default_fc7ac4f07220c58b8441.js	AI (source-diff): AMD define() loader pattern in SPFx bundle; not dropper/loader malware.	ai	2026/05/13
source-diff	obfuscated-file:dist/sp-webpart-base_en-us_38b9923fb00e2c09f107.js	AI (source-diff): Standard minified SPFx locale bundle; same pattern as default bundle.	ai	2026/05/13
source-diff	net-exec-file:dist/sp-webpart-base_en-us_38b9923fb00e2c09f107.js	AI (source-diff): AMD define() loader pattern in SPFx locale bundle; not malicious.	ai	2026/05/13
source-diff	obfuscated-file:dist/sp-webpart-base_qps-ploc_d565f8e4d5b1eb2a65c6.js	AI (source-diff): Standard minified SPFx pseudo-locale bundle; same benign pattern.	ai	2026/05/13
source-diff	net-exec-file:dist/sp-webpart-base_qps-ploc_d565f8e4d5b1eb2a65c6.js	AI (source-diff): AMD define() loader pattern in SPFx pseudo-locale bundle; not malicious.	ai	2026/05/13
source-diff	obfuscated-file:dist/sp-webpart-base_qps-ploca_4283218dd8fa3634449e.js	AI (source-diff): Standard minified SPFx pseudo-locale bundle; same benign pattern.	ai	2026/05/13
source-diff	net-exec-file:dist/sp-webpart-base_qps-ploca_4283218dd8fa3634449e.js	AI (source-diff): AMD define() loader pattern in SPFx pseudo-locale bundle; not malicious.	ai	2026/05/13
maintainer-change	maintainer-added	AI (maintainer-change): microsoft-oss-releases is a known Microsoft OSS automation account; expected for this org.	ai	2026/05/13
dependencies	unvetted-dep:@microsoft/sp-module-interfaces	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/teams-js-v2	AI (dependencies): Microsoft Teams JS SDK aliased dependency; expected for SPFx Teams integration.	ai	2026/05/01
dependencies	unvetted-dep:@fluentui/react	AI (dependencies): Official Microsoft Fluent UI library; standard dependency for Microsoft SPFx packages.	ai	2026/05/01
dependencies	unvetted-dep:@types/office-js	AI (dependencies): Official Office.js type definitions; expected for Microsoft SPFx SDK.	ai	2026/05/01
phantom-deps	phantom-dep:react	AI (phantom-deps): React is a peer dependency used by SPFx framework consumers; phantom-dep heuristic false positive.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-http	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
phantom-deps	phantom-dep:@swc/helpers	AI (phantom-deps): Known implicit runtime dependency for SWC transpilation; expected pattern.	ai	2026/05/01
phantom-deps	phantom-dep:@fluentui/react	AI (phantom-deps): Used via config/type references in SPFx framework; phantom-dep heuristic false positive.	ai	2026/05/01
phantom-deps	phantom-dep:@types/office-js	AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep heuristic false positive.	ai	2026/05/01
bogus-package	bogus-package	AI (bogus-package): Legitimate Microsoft SDK component; sparse README and no keywords are common for internal SDK packages.	ai	2026/05/01
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): React-dom is a peer dependency used by SPFx framework consumers; phantom-dep heuristic false positive.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-loader	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-http-base	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-diagnostics	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-core-library	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-page-context	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-lodash-subset	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-property-pane	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01
dependencies	unvetted-dep:@microsoft/sp-component-base	AI (dependencies): Co-versioned Microsoft SPFx sibling package; expected dependency pattern for this SDK.	ai	2026/05/01

Versions (showing 5 of 5)

Version	Deps	Published
1.23.0	18 / 16	2026-05-13
1.22.2	18 / 16	2026-01-28
1.22.1	18 / 16	2025-12-15
1.22.0	18 / 16	2025-12-10
1.21.1	18 / 14	2025-05-03

v1.23.0

9 findings

HIGH New obfuscated file: dist/sp-webpart-base_default_fc7ac4f07220c58b8441.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/sp-webpart-base_default_fc7ac4f07220c58b8441.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/sp-webpart-base_en-us_38b9923fb00e2c09f107.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/sp-webpart-base_en-us_38b9923fb00e2c09f107.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/sp-webpart-base_qps-ploc_d565f8e4d5b1eb2a65c6.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/sp-webpart-base_qps-ploc_d565f8e4d5b1eb2a65c6.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/sp-webpart-base_qps-ploca_4283218dd8fa3634449e.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/sp-webpart-base_qps-ploca_4283218dd8fa3634449e.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.22.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.22.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.21.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.