← Home

@module-federation/bridge-react

npm Repository Homepage
22
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

zackljacksonhealshawzhougioboa

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/lazy-load-component-plugin-DozDrfqb.js AI (source-diff): Module Federation lazy-load plugin internals; network+exec pattern is the framework's data-fetch mechanism, not malware. ai
source-diff net-exec-file:dist/prefetch-BzfBW4fX.js AI (source-diff): Prefetch utility for MF data fetching; legitimate framework code, not a dropper. ai
source-diff net-exec-file:dist/prefetch-C8qqTz8_.mjs AI (source-diff): ESM variant of prefetch utility; legitimate MF framework internals. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-BoFzraQv.mjs AI (source-diff): ESM variant of the lazy-load plugin; same legitimate framework pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-B3GJRx1-.mjs AI (source-diff): ESM variant of the lazy-load plugin; same benign pattern as the CJS counterpart. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-8zeSnzyV.js AI (source-diff): Module Federation's lazy-load plugin; script injection is the documented remote module loading mechanism. ai
source-diff net-exec-file:dist/prefetch-DVsz9M2C.js AI (source-diff): Module Federation prefetch helper; createScript is the standard federated module loader pattern. ai
source-diff net-exec-file:dist/prefetch-zNZ70qRm.mjs AI (source-diff): ESM variant of prefetch helper; same benign script-injection pattern for remote module loading. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-C7jasFos.js AI (source-diff): Legitimate MF lazy-load plugin; network calls are data-fetch prefetch, not exfiltration. ai
source-diff net-exec-file:dist/prefetch-DMJyBeIs.mjs AI (source-diff): ESM variant of MF prefetch utility; benign data-fetch pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-CrSLH5YP.mjs AI (source-diff): ESM variant of legitimate MF lazy-load plugin; same benign pattern. ai
source-diff net-exec-file:dist/prefetch-CFRpPfZQ.js AI (source-diff): MF prefetch utility; network+exec pattern is standard module federation data loading. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-ZC6dhtcT.js AI (source-diff): Module Federation lazy-load plugin legitimately injects script tags for remote module loading; not malware. ai
source-diff net-exec-file:dist/prefetch-CFKA0dZg.mjs AI (source-diff): ESM variant of prefetch helper; same legitimate MF remote-loading pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-CqxENGBE.mjs AI (source-diff): ESM variant of the lazy-load plugin; same legitimate MF remote-loading pattern. ai
source-diff net-exec-file:dist/prefetch-8e8pqiSo.js AI (source-diff): Prefetch helper for remote module federation; script injection is core to MF runtime behavior. ai
source-diff net-exec-file:dist/prefetch-BIuiJePI.js AI (source-diff): MF prefetch module; createScript injects remote federation scripts as designed. ai
source-diff net-exec-file:dist/prefetch-DLfc6h__.mjs AI (source-diff): ESM variant of prefetch module; same legitimate MF pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-ChXiUL6x.mjs AI (source-diff): ESM variant of lazy-load plugin; same legitimate MF pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-0-2dETvt.js AI (source-diff): Module Federation lazy-load plugin; dynamic script injection is core MF functionality, not malware. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-Dk-ECNy-.mjs AI (source-diff): ESM variant of the same legitimate lazy-load plugin; consistent with MF build output. ai
source-diff net-exec-file:dist/prefetch-BiUqElFJ.mjs AI (source-diff): ESM variant of the same legitimate prefetch artifact; consistent with MF build output. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-DKejcTCw.js AI (source-diff): Legitimate MF lazy-load plugin build artifact; network calls are module federation remote loading, not malware. ai
source-diff net-exec-file:dist/prefetch-ebk8gbEI.js AI (source-diff): Legitimate MF prefetch/data-fetch build artifact; pattern matches MF's documented data fetching infrastructure. ai
source-diff net-exec-file:dist/prefetch-CvCACzJH.js AI (source-diff): Module Federation prefetch utility; createScript/dynamic loading is the documented remote federation mechanism. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-B0jL1C-H.js AI (source-diff): Module Federation lazy-load plugin; script injection is core to remote module loading, not malware. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-CXfIn_mH.mjs AI (source-diff): ESM variant of lazy-load plugin; same legitimate remote module loading pattern. ai
source-diff net-exec-file:dist/prefetch-CmkSilpl.mjs AI (source-diff): ESM variant of prefetch utility; same legitimate remote module loading pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-DdItJ9MU.js AI (source-diff): Legitimate build artifact for the lazy-load-component-plugin export; network/exec pattern is Module Federation's data-fetch mechanism. ai
source-diff net-exec-file:dist/prefetch-C7xNsjTa.mjs AI (source-diff): ESM variant of the prefetch helper; same legitimate context. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-kX5VrCdH.mjs AI (source-diff): ESM variant of the same legitimate lazy-load-component-plugin artifact. ai
source-diff net-exec-file:dist/prefetch-DFW9CxrU.js AI (source-diff): Legitimate prefetch helper bundled with the lazy-load-component-plugin feature. ai
source-diff net-exec-file:dist/prefetch-PoipyNzq.js AI (source-diff): Legitimate MF prefetch build artifact; data-fetch orchestration for remote modules, not malware. ai
source-diff net-exec-file:dist/prefetch-Cv8Vx9jG.mjs AI (source-diff): ESM variant of the prefetch module; same legitimate MF pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-lLkUGUIW.mjs AI (source-diff): ESM variant of the lazy-load plugin; same legitimate MF pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-GaQxzHsw.js AI (source-diff): Legitimate MF lazy-load plugin build artifact; network calls are remote module fetching, not dropper behavior. ai
source-diff net-exec-file:dist/prefetch-BvksZRMd.js AI (source-diff): MF prefetch/data-fetch infrastructure; network calls are module federation remote loading, not exfiltration. ai
publish-pattern dormant-publish AI (publish-pattern): Major version bump in large monorepo; dormancy reflects versioning cadence, not account takeover. ai
source-diff net-exec-file:dist/prefetch-Cj92jrl5.mjs AI (source-diff): ESM variant of prefetch module; legitimate MF framework internals. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-GtenP5tG.mjs AI (source-diff): ESM variant of the same legitimate lazy-load plugin; same rationale as CJS counterpart. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-9KkACgWW.js AI (source-diff): Legitimate MF lazy-load plugin internals; data-fetch map management, not dropper behavior. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-Bt990iJq.js AI (source-diff): Implements MF data-fetch plugin lifecycle hooks; network+exec pattern is core to module federation remote loading. ai
source-diff net-exec-file:dist/prefetch-DAwiqbcO.mjs AI (source-diff): ESM variant of prefetch utilities; legitimate remote module loading pattern. ai
source-diff net-exec-file:dist/lazy-load-component-plugin-BkcO9pUC.mjs AI (source-diff): ESM variant of lazy-load-component-plugin; same legitimate MF data-fetch pattern. ai
source-diff net-exec-file:dist/prefetch-D-d4LlJ3.js AI (source-diff): Implements MF prefetch/data-fetch utilities; legitimate remote module loading pattern. ai
semgrep semgrep:new-function-constructor AI (semgrep): Intentional MF runtime pattern for evaluating getPublicPath from remote snapshots; stable across versions. ai

Versions (showing 22 of 22)

Version Deps Published
2.5.0 2 / 20
2.4.0 2 / 20
2.3.3 2 / 20
2.3.2 2 / 20
2.3.1 4 / 18
2.3.0 4 / 18
2.2.3 4 / 18
2.2.2 4 / 18
2.2.1 4 / 18
2.2.0 4 / 17
2.1.0 4 / 17
2.0.1 4 / 17
2.0.0 4 / 17
0.24.1 4 / 17
0.24.0 4 / 17
0.23.0 4 / 17
0.22.1 4 / 17
0.22.0 4 / 17
0.21.6 4 / 17
0.21.5 4 / 17
0.21.4 4 / 17
0.21.3 4 / 17

v2.5.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-8zeSnzyV.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DVsz9M2C.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-B3GJRx1-.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-zNZ70qRm.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-ZC6dhtcT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-8e8pqiSo.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-CqxENGBE.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-CFKA0dZg.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.3

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-0-2dETvt.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-BIuiJePI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-ChXiUL6x.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DLfc6h__.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.2

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-0-2dETvt.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-BIuiJePI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-ChXiUL6x.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DLfc6h__.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.1

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-0-2dETvt.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-BIuiJePI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-ChXiUL6x.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DLfc6h__.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-0-2dETvt.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-BIuiJePI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-ChXiUL6x.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DLfc6h__.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-B0jL1C-H.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-CvCACzJH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-CXfIn_mH.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-CmkSilpl.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-C7jasFos.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-CFRpPfZQ.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-CrSLH5YP.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DMJyBeIs.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-9KkACgWW.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-BvksZRMd.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-GtenP5tG.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-Cj92jrl5.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.24.1

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-DKejcTCw.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-ebk8gbEI.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-Dk-ECNy-.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-BiUqElFJ.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.24.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-DozDrfqb.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-BzfBW4fX.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-BoFzraQv.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-C8qqTz8_.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.23.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-GaQxzHsw.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-PoipyNzq.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-lLkUGUIW.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-Cv8Vx9jG.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.22.1

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-DdItJ9MU.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DFW9CxrU.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-kX5VrCdH.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-C7xNsjTa.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.22.0

5 findings
HIGH New file with network + code execution: dist/lazy-load-component-plugin-Bt990iJq.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-D-d4LlJ3.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/lazy-load-component-plugin-BkcO9pUC.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/prefetch-DAwiqbcO.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.21.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.21.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.21.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.21.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.