@opengis/admin
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/admin-view-BKD-rKqQ.js | AI (source-diff): Vite-bundled Vue component output; standard minified build artifact. | ai | |
| source-diff | obfuscated-file:dist/import-file-2iB1izw1.js | AI (source-diff): Vite-bundled vendor chunk (axios, Vue utilities); standard minified build artifact. | ai | |
| source-diff | obfuscated-file:dist/admin-view-BWIQS9Bz.js | AI (source-diff): Standard Vite/Vue build output; minified but clearly readable Vue component code, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/import-file-C-q7nPgl.js | AI (source-diff): Standard Vite bundle with readable imports (vue, axios, vuedraggable); minified not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/import-file-gAIxmvH0.js | AI (source-diff): Standard Vite bundle with identifiable imports (vue, axios, vuedraggable); minified not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/admin-view-BCrdh-at.js | AI (source-diff): Standard Vite build output; readable Vue component code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/import-file-DcpjZvgK.js | AI (source-diff): Vite-bundled Vue build output; minified but not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/admin-view-ccrTnaDh.js | AI (source-diff): Vite-bundled Vue build output; minified but not obfuscated. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/starter-kit | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/suggestion | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/vue-3 | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:vuedraggable | AI (phantom-deps): UI component dep declared for consumer use; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/core | AI (phantom-deps): Same as above — tiptap ecosystem, config-only reference. | ai | |
| phantom-deps | phantom-dep:fastify | AI (phantom-deps): Declared as peer/runtime dep in a Fastify-based admin framework; config-only reference is expected. | ai | |
| phantom-deps | phantom-dep:@tiptap/pm | AI (phantom-deps): Tiptap ecosystem dep declared for consumer use; config-only reference pattern is stable for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-placeholder | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-text-style | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-underline | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-mention | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@fullcalendar/interaction | AI (phantom-deps): FullCalendar ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-color | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-text | AI (phantom-deps): Tiptap ecosystem dep; config-only reference, stable false positive. | ai | |
| source-diff | obfuscated-file:dist/admin-view-BcWfEfRW.js | AI (source-diff): Standard Vite/Vue build output; minified but not obfuscated — readable Vue component code visible in sample. | ai | |
| source-diff | obfuscated-file:dist/import-file-DJR1XXLF.js | AI (source-diff): Standard Vite bundle of vue, axios, vuedraggable etc.; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/import-file-A4o0SJpP.js | AI (source-diff): Standard Vite bundle containing vue, axios, vuedraggable — readable utility code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/admin-view-BoHHzowt.js | AI (source-diff): Standard Vite-bundled Vue frontend output; minified but not malicious. | ai | |
| source-diff | obfuscated-file:dist/import-file-DanTkH8S.js | AI (source-diff): Standard Vite-minified bundle with readable Vue/axios/vuedraggable imports; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/admin-view-BaFEZfOb.js | AI (source-diff): Standard Vite-minified Vue bundle; readable imports and component patterns confirm legitimate build output. | ai | |
| phantom-deps | phantom-dep:@fullcalendar/daygrid | AI (phantom-deps): Optional calendar dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vitejs/plugin-vue | AI (phantom-deps): Build-time dep used in vite.config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opengis/v3-filter | AI (phantom-deps): Same-org dep bundled via Vite; stable false positive. | ai | |
| phantom-deps | phantom-dep:@fullcalendar/vue3 | AI (phantom-deps): Optional calendar dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@fullcalendar/list | AI (phantom-deps): Optional calendar dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@fullcalendar/core | AI (phantom-deps): Optional calendar dep in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:close-with-grace | AI (phantom-deps): Server-side dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opengis/v3-core | AI (phantom-deps): Same-org dep bundled via Vite; stable false positive. | ai | |
| phantom-deps | phantom-dep:@fancyapps/ui | AI (phantom-deps): Optional UI dep in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): Vue composables used via Vite bundle; stable false positive. | ai | |
| phantom-deps | phantom-dep:maplibre-gl | AI (phantom-deps): Optional map dep for GIS admin; stable false positive. | ai | |
| phantom-deps | phantom-dep:vue-router | AI (phantom-deps): Peer dep for Vue admin UI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@turf/turf | AI (phantom-deps): GIS admin UI; optional geo dep in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): Used in npm scripts; stable false positive. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Optional dep referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:qrcode | AI (phantom-deps): Optional feature dep in admin UI config; stable false positive. | ai | |
| phantom-deps | phantom-dep:moment | AI (phantom-deps): Optional peer/config dep for a full-stack admin UI; stable false positive. | ai | |
| source-diff | obfuscated-file:dist/import-file-q1gVGP28.js | AI (source-diff): Standard Vite bundle with readable Vue/axios/utility code; minified not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/admin-view-B2qQ1IHJ.js | AI (source-diff): Standard Vite/Vue build output; minified but not obfuscated, no malicious patterns. | ai | |
| phantom-deps | phantom-dep:@fullcalendar/timegrid | AI (phantom-deps): Optional calendar dep; stable false positive. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 0.4.46 | 24 / 8 | |
| 0.4.45 | 24 / 8 | |
| 0.4.44 | 24 / 8 | |
| 0.4.43 | 24 / 8 | |
| 0.4.42 | 24 / 8 | |
| 0.4.41 | 24 / 8 | |
| 0.4.40 | 24 / 8 | |
| 0.4.35 | 24 / 8 | |
| 0.4.30 | 24 / 8 | |
| 0.4.27 | 24 / 9 | |
| 0.4.23 | 24 / 9 | |
| 0.4.22 | 26 / 7 | |
| 0.4.17 | 26 / 7 | |
| 0.4.15 | 26 / 7 | |
| 0.4.13 | 26 / 7 | |
| 0.4.4 | 40 / 14 |
v0.4.46
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.45
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.44
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.43
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.41
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.35
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.30
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.27
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.23
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.17
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.15
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.13
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (oleksandr_krizhanovsky) than the most recent previously approved version (setebosu) on 2025-06-30, but oleksandr_krizhanovsky is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.