@morpho-org/bull-board-ui
A Dashboard UI built on top of bull or bullmq.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/static/js/main.b38467b7.js | AI (source-diff): Network calls are axios HTTP client for queue API; dynamic execution is webpack module loader — standard SPA pattern. | ai | |
| source-diff | obfuscated-file:dist/static/js/main.b38467b7.js | AI (source-diff): Standard webpack main bundle (date-fns locales, CSS modules); no malware indicators. | ai | |
| source-diff | net-exec-file:dist/static/js/main.e014abcc.js | AI (source-diff): Network calls (axios for queue API) + dynamic chunk loading are standard React SPA patterns; no dropper behavior in samples. | ai | |
| source-diff | obfuscated-file:dist/static/js/main.e014abcc.js | AI (source-diff): Main webpack bundle for a React UI app; minification is the expected distribution format. | ai | |
| source-diff | net-exec-file:dist/static/js/main.349f0c9b.js | AI (source-diff): Network calls are axios HTTP client for queue API; dynamic code is webpack module loader — standard SPA pattern. | ai | |
| source-diff | obfuscated-file:dist/static/js/async/9291.e90e21af.js | AI (source-diff): Standard webpack-minified frontend chunk (SVG icons, status constants); no malicious content. | ai | |
| source-diff | obfuscated-file:dist/static/js/main.349f0c9b.js | AI (source-diff): Standard webpack-minified main bundle (date-fns locales, React UI); no malicious content. | ai | |
| source-diff | net-exec-file:dist/static/js/main.1728f3d7.js | AI (source-diff): Network calls (axios) + dynamic module loading are intrinsic to this SPA dashboard; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/static/js/async/11153.5caec0cb.js | AI (source-diff): Standard webpack chunk from a React UI build; minified CSS-module + CodeMirror code, no malicious content. | ai | |
| source-diff | obfuscated-file:dist/static/js/async/66030.67488133.js | AI (source-diff): Webpack chunk containing CSS module maps and SVG icon components; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/static/js/async/67465.807ab435.js | AI (source-diff): Webpack chunk with React job-page UI components; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/static/js/async/82384.4e5ca7fe.js | AI (source-diff): Webpack chunk containing prop-types and react-paginate; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/static/js/async/9291.4ef6d985.js | AI (source-diff): Webpack chunk with status constants and SVG icons; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/static/js/main.1728f3d7.js | AI (source-diff): Main webpack bundle for a React dashboard UI; minified output is expected. | ai | |
| source-diff | net-exec-file:dist/static/js/main.1cf5c7f8.js | AI (source-diff): Network calls (axios) + dynamic imports are standard React SPA patterns; no dropper behavior visible in samples. | ai | |
| source-diff | obfuscated-file:dist/static/js/main.1cf5c7f8.js | AI (source-diff): Webpack-bundled React UI assets; minified output is expected for this package type. | ai | |
| source-diff | obfuscated-file:dist/static/js/async/9291.e5f5c7de.js | AI (source-diff): Standard webpack-minified UI bundle; minification is expected for this package's dist output. | ai | |
| source-diff | net-exec-file:dist/static/js/main.601332f2.js | AI (source-diff): Network calls (axios) + dynamic module loading in a React SPA bundle is normal; no dropper pattern visible in sample. | ai | |
| source-diff | obfuscated-file:dist/static/js/main.601332f2.js | AI (source-diff): Standard webpack-minified UI bundle; minification is expected for this package's dist output. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 6.23.0 | 1 / 39 | |
| 6.22.2 | 1 / 39 | |
| 6.22.1 | 1 / 39 | |
| 6.22.0 | 1 / 39 | |
| 6.21.0 | 1 / 39 | |
| 6.19.2 | 1 / 39 | |
| 6.19.1 | 1 / 39 | |
| 6.19.0 | 1 / 39 | |
| 6.14.3 | 1 / 38 | |
| 6.14.2 | 1 / 38 | |
| 6.12.6 | 1 / 38 | |
| 6.12.5 | 1 / 38 | |
| 6.12.4 | 1 / 38 | |
| 6.12.3 | 1 / 38 | |
| 6.12.2 | 1 / 38 | |
| 6.12.1 | 1 / 38 | |
| 6.12.0 | 1 / 38 |
v6.22.2
9 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rubilmax.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.22.1
9 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rubilmax.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.22.0
9 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rubilmax.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.21.0
9 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rubilmax.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.19.2
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rubilmax.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.19.1
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rubilmax.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.19.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.12.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.12.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.12.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.12.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.12.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.