@mseva/digit-ui-module-challangeneration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/index.modern.js | AI (source-diff): Bundle is a standard React/Redux UI module; no actual network fetch or dynamic code execution present in the sample. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Part of @mseva/digit-ui internal module ecosystem; sparse metadata is a pattern across the suite, not a spam indicator. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Consistent with the rest of the @mseva/digit-ui module family; not a malice signal. | ai | |
| phantom-deps | phantom-dep:lodash.merge | AI (phantom-deps): Utility dep used in config/build context; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): React UI module; react-dom declared as dep but used transitively — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:microbundle-crl | AI (phantom-deps): Build tool listed in scripts; phantom-dep heuristic fires on config reference — stable false positive. | ai | |
| phantom-deps | phantom-dep:react-table | AI (phantom-deps): UI module with table components; phantom-dep heuristic fires on config references — stable false positive. | ai | |
| phantom-deps | phantom-dep:redux-thunk | AI (phantom-deps): Redux-based UI module; redux-thunk used via config/middleware setup — stable false positive. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 1.0.31 | 14 / 0 | |
| 1.0.30 | 14 / 0 | |
| 1.0.29 | 14 / 0 | |
| 1.0.26 | 14 / 0 | |
| 1.0.21 | 14 / 0 | |
| 1.0.20 | 14 / 0 | |
| 1.0.19 | 14 / 0 | |
| 1.0.18 | 14 / 0 | |
| 1.0.16 | 14 / 0 | |
| 1.0.15 | 14 / 0 | |
| 1.0.14 | 14 / 0 | |
| 1.0.13 | 14 / 0 | |
| 1.0.12 | 13 / 0 | |
| 1.0.11 | 13 / 0 | |
| 1.0.9 | 13 / 0 | |
| 1.0.8 | 13 / 0 | |
| 1.0.7 | 13 / 0 | |
| 1.0.6 | 13 / 0 | |
| 1.0.4 | 13 / 0 | |
| 1.0.3 | 9 / 0 | |
| 1.0.2 | 9 / 0 | |
| 1.0.1 | 9 / 0 | |
| 1.0.0 | 9 / 0 |
v1.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.9
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.