@milaboratories/milaboratories.pool-explorer.ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/assets/index-DD1HkdiF.js | AI (source-diff): Network/eval patterns are from bundled Monaco Editor and Vite lazy-loading; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DD1HkdiF.js | AI (source-diff): Standard Vite minified bundle with __vite__mapDeps header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CMJr52Qu.js | AI (source-diff): Vite-bundled frontend output; minification is expected for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/index-CMJr52Qu.js | AI (source-diff): Network calls and dynamic module loading are standard in Vite-bundled browser UI code. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BGuETDM2.js | AI (source-diff): Standard Vite-minified frontend bundle; __vite__mapDeps pattern confirms legitimate build output. | ai | |
| source-diff | net-exec-file:dist/assets/index-BGuETDM2.js | AI (source-diff): Network/exec pattern in Vite bundle is from bundled browser UI code, not a dropper. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Rbu4iQVJ.js | AI (source-diff): Standard Vite-minified frontend bundle; __vite__mapDeps pattern confirms legitimate build output. | ai | |
| source-diff | net-exec-file:dist/assets/index-Rbu4iQVJ.js | AI (source-diff): Network calls and dynamic imports in Vite bundle are normal SPA behavior, not dropper/loader malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-BRzeflgw.js | AI (source-diff): Dynamic imports via __vite__mapDeps are standard Vite code-splitting, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BRzeflgw.js | AI (source-diff): Vite-minified frontend bundle; consistent with this package's build toolchain across all versions. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DYmEQX34.js | AI (source-diff): Standard Vite-bundled frontend output; minification is expected for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/index-DYmEQX34.js | AI (source-diff): Network calls and dynamic code in a browser UI bundle are normal; no dropper pattern present. | ai | |
| source-diff | net-exec-file:dist/assets/index-DYDwzEIM.js | AI (source-diff): Network calls and dynamic imports are standard browser UI bundle patterns (Vite lazy chunks); not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DYDwzEIM.js | AI (source-diff): Vite-bundled frontend output; minification is expected for this UI package across all versions. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CXkchmsW.js | AI (source-diff): Standard Vite-minified browser bundle; __vite__mapDeps pattern confirms legitimate build output. | ai | |
| source-diff | net-exec-file:dist/assets/index-CXkchmsW.js | AI (source-diff): Network/exec pattern in a Vite browser bundle is expected for a UI package; not a dropper. | ai | |
| source-diff | obfuscated-file:dist/assets/index-R3zz1ugD.js | AI (source-diff): Vite-minified frontend bundle; minification is expected for this UI package across all versions. | ai | |
| source-diff | net-exec-file:dist/assets/index-R3zz1ugD.js | AI (source-diff): Network calls and dynamic imports in a Vite UI bundle are normal browser-side patterns, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-H_URZ9rT.js | AI (source-diff): Network calls and dynamic imports are normal in a Vite-built browser UI bundle; no dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-H_URZ9rT.js | AI (source-diff): Standard Vite-bundled frontend output; minification is expected for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BZvn3uJ2.js | AI (source-diff): Browser UI bundle; network calls and dynamic imports are normal for a frontend app, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BZvn3uJ2.js | AI (source-diff): Standard Vite minified bundle output; consistent with this UI package's build toolchain across all versions. | ai | |
| source-diff | obfuscated-file:dist/assets/index-7EUeWFwW.js | AI (source-diff): Standard Vite-bundled frontend asset; minification is expected for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/index-7EUeWFwW.js | AI (source-diff): Network calls and dynamic module loading are normal in a Vite-built browser UI bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BcSCXPcF.js | AI (source-diff): Standard Vite-minified frontend bundle; __vite__mapDeps pattern confirms build tooling output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-BcSCXPcF.js | AI (source-diff): Network+exec pattern in a browser UI bundle is expected (dynamic imports, fetch for UI data); no dropper indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DB_hanrY.js | AI (source-diff): Standard Vite-minified frontend bundle; __vite__mapDeps pattern is normal build output for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-DB_hanrY.js | AI (source-diff): Network calls and dynamic module loading are expected in a Vite-bundled UI block; not dropper behavior. | ai | |
| provenance | no-provenance | AI (provenance): No provenance across all 305 versions; publisher has strong approval track record. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Internal scoped package in a large monorepo; missing description is a stable pattern across all versions. | ai | |
| source-diff | net-exec-file:dist/assets/index-B1iiGfbt.js | AI (source-diff): Network calls and dynamic imports in a Vite browser bundle are expected UI behavior, not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B1iiGfbt.js | AI (source-diff): Standard Vite-minified frontend bundle; not obfuscated malware. Stable pattern for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CvByaSai.js | AI (source-diff): Standard Vite-minified frontend bundle with source map; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-CvByaSai.js | AI (source-diff): Network/exec pattern is from Vite's dynamic import mechanism, not malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-xcoZM2vZ.js | AI (source-diff): Dynamic module loading via __vite__mapDeps is standard Vite lazy-loading, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-xcoZM2vZ.js | AI (source-diff): Vite-bundled browser UI asset; minification is expected for this package's build output. | ai | |
| source-diff | net-exec-file:dist/assets/index-C56L_R4j.js | AI (source-diff): Network calls and dynamic imports are expected in a Vite-bundled browser UI; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C56L_R4j.js | AI (source-diff): Standard Vite-minified frontend bundle; consistent pattern across all versions of this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/index-CIxc5p_e.js | AI (source-diff): Network calls and dynamic imports are standard in Vite-built SPA bundles; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CIxc5p_e.js | AI (source-diff): Vite-bundled frontend output; minification is expected for this UI package across all versions. | ai | |
| source-diff | net-exec-file:dist/assets/index-DscHpug5.js | AI (source-diff): Network calls and dynamic imports are normal browser-side behavior in a Vite-bundled UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DscHpug5.js | AI (source-diff): Standard Vite-minified frontend bundle; this package always ships bundled UI assets. | ai | |
| phantom-deps | phantom-dep:monaco-editor | AI (phantom-deps): monaco-editor is declared as a runtime dep and referenced in config; phantom-dep heuristic fires but this is a known build-time config pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal scoped package in a large family (282 versions); missing metadata is expected for private/internal packages. | ai |
Versions (showing 46 of 46)
| Version | Deps | Published |
|---|---|---|
| 1.3.22 | 5 / 5 | |
| 1.3.21 | 5 / 5 | |
| 1.3.20 | 5 / 5 | |
| 1.3.19 | 5 / 5 | |
| 1.3.18 | 5 / 5 | |
| 1.3.17 | 5 / 5 | |
| 1.3.16 | 5 / 5 | |
| 1.3.15 | 5 / 5 | |
| 1.3.14 | 5 / 5 | |
| 1.3.13 | 5 / 5 | |
| 1.3.12 | 5 / 5 | |
| 1.3.11 | 5 / 5 | |
| 1.3.10 | 5 / 5 | |
| 1.3.9 | 5 / 5 | |
| 1.3.7 | 5 / 5 | |
| 1.3.6 | 5 / 5 | |
| 1.3.5 | 5 / 5 | |
| 1.3.4 | 5 / 5 | |
| 1.3.3 | 5 / 5 | |
| 1.3.2 | 5 / 5 | |
| 1.3.1 | 5 / 5 | |
| 1.3.0 | 5 / 5 | |
| 1.2.31 | 5 / 5 | |
| 1.2.30 | 5 / 5 | |
| 1.2.28 | 5 / 5 | |
| 1.2.27 | 5 / 5 | |
| 1.2.26 | 5 / 5 | |
| 1.2.25 | 5 / 5 | |
| 1.2.24 | 5 / 5 | |
| 1.2.23 | 5 / 5 | |
| 1.2.22 | 5 / 5 | |
| 1.2.21 | 5 / 5 | |
| 1.2.19 | 5 / 5 | |
| 1.2.18 | 5 / 5 | |
| 1.2.17 | 5 / 5 | |
| 1.2.16 | 5 / 5 | |
| 1.2.15 | 5 / 5 | |
| 1.2.14 | 5 / 5 | |
| 1.2.13 | 5 / 5 | |
| 1.2.12 | 5 / 5 | |
| 1.2.11 | 5 / 5 | |
| 1.2.10 | 5 / 5 | |
| 1.2.9 | 5 / 5 | |
| 1.2.8 | 5 / 5 | |
| 1.2.7 | 5 / 5 | |
| 1.2.6 | 5 / 5 |
v1.3.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.21
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.20
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.19
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.18
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.17
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.16
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.15
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.14
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.13
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.11
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.31
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.