@pisell/materials
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): lucide-react is a declared runtime dep; phantom-dep heuristic false positive for this package. | ai | |
| source-diff | obfuscated-file:build/lowcode/render/default/async/view.js | AI (source-diff): Identical webpack bundle pattern; minified build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/lowcode/async/view.js | AI (source-diff): Standard webpack bundle output; readable AWS SDK serialization code, not obfuscation. | ai | |
| provenance | missing-githead | AI (provenance): Mature, high-volume package with known maintainer; missing gitHead is a CI environment change, not a malware signal. | ai | |
| source-diff | obfuscated-file:es/components/PisellContactBrief/components/ContactFormModal.js | AI (source-diff): Standard Babel/regenerator transpiled output; not malicious obfuscation for this component library. | ai | |
| source-diff | obfuscated-file:es/components/PisellCards/components/GraphicTextCard/GraphicTextCard.stories.js | AI (source-diff): Standard Babel/regenerator transpiled output; not malicious obfuscation for this component library. | ai | |
| source-diff | obfuscated-file:es/components/hardwareErrorTip/demo.js | AI (source-diff): Babel/regenerator-runtime transpiler output, not obfuscation; stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All three new deps are established React ecosystem packages; no malware indicators. | ai | |
| source-diff | obfuscated-file:build/lowcode/render/default/1.js | AI (source-diff): Standard webpack bundle output (webpackJsonpBaseMaterials); minified build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/lowcode/3.js | AI (source-diff): Standard webpack bundle output (webpackJsonpBaseMaterials); minified build artifact, not malicious obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker for established packages. | ai | |
| source-diff | obfuscated-file:es/components/pisellToast/squareToast/renderImperatively.js | AI (source-diff): Babel-transpiled output (regenerator-runtime); standard build artifact, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Active UI component library with 1644 versions; incremental source file additions are expected and consistent with its release history. | ai | |
| source-diff | obfuscated-file:es/components/dataSourceComponents/dataSourceForm/urlUtils.js | AI (source-diff): File is Babel-transpiled ES module output (contains regenerator-runtime MIT header, @babel/helpers patterns). Long lines are a build artifact, not obfuscation. This package ships compiled ES modules as its distribution format. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established internal component library (1627 versions); minimal metadata is consistent with organizational tooling, not spam. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendar.js | AI (source-diff): File contains standard Babel-transpiled ES5 output (canonical helpers: _typeof, _objectSpread, _regeneratorRuntime). Long lines are minified compiled output, not malicious obfuscation. Normal for a React component library shipping compiled artifacts. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendarDemo.js | AI (source-diff): File contains standard Babel-transpiled/bundled React component output with recognizable helpers (regeneratorRuntime, _typeof). Long lines are from bundling, not intentional obfuscation. Consistent with this UI component library's build pattern. | ai | |
| dependencies | unvetted-dep:@react-spring/web | AI (dependencies): @react-spring/web is a well-known, widely-used React animation library. Its use in a UI component library is expected and benign. | ai | |
| phantom-deps | phantom-dep:antd-mobile | AI (phantom-deps): antd-mobile is a legitimate declared dependency referenced in config files; phantom-dep finding is a packaging style issue, not a security concern. | ai |
Versions (showing 51 of 168)
| Version | Deps | Published |
|---|---|---|
| 6.11.206 | 30 / 45 | |
| 6.11.205 | 30 / 45 | |
| 6.11.204 | 30 / 45 | |
| 6.11.203 | 30 / 45 | |
| 6.11.202 | 30 / 45 | |
| 6.11.201 | 30 / 45 | |
| 6.11.200 | 30 / 45 | |
| 6.11.111 | 30 / 45 | |
| 6.11.110 | 30 / 45 | |
| 6.11.109 | 30 / 45 | |
| 6.11.108 | 30 / 45 | |
| 6.11.107 | 30 / 45 | |
| 6.11.106 | 30 / 45 | |
| 6.11.105 | 30 / 45 | |
| 6.11.104 | 30 / 45 | |
| 6.11.103 | 30 / 45 | |
| 6.11.102 | 30 / 45 | |
| 6.11.101 | 30 / 45 | |
| 6.11.100 | 30 / 45 | |
| 6.11.99 | 30 / 45 | |
| 6.11.98 | 30 / 45 | |
| 6.11.97 | 30 / 45 | |
| 6.11.96 | 30 / 45 | |
| 6.11.95 | 30 / 45 | |
| 6.11.94 | 30 / 45 | |
| 6.11.93 | 30 / 45 | |
| 6.11.92 | 30 / 45 | |
| 6.11.91 | 30 / 45 | |
| 6.11.90 | 30 / 45 | |
| 6.11.89 | 30 / 45 | |
| 6.11.88 | 30 / 45 | |
| 6.11.87 | 30 / 45 | |
| 6.11.86 | 30 / 45 | |
| 6.11.85 | 30 / 45 | |
| 6.11.84 | 30 / 45 | |
| 6.11.83 | 30 / 45 | |
| 6.11.74 | 30 / 45 | |
| 6.11.72 | 30 / 45 | |
| 6.11.58 | 30 / 45 | |
| 6.11.50 | 30 / 45 | |
| 6.11.49 | 30 / 45 | |
| 6.11.48 | 30 / 45 | |
| 6.11.47 | 30 / 45 | |
| 6.11.46 | 30 / 45 | |
| 6.11.45 | 30 / 45 | |
| 6.11.44 | 30 / 45 | |
| 6.11.42 | 30 / 45 | |
| 6.11.41 | 30 / 45 | |
| 6.11.39 | 30 / 45 | |
| 6.11.38 | 30 / 45 | |
| 6.11.37 | 31 / 45 |
v6.11.206
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-06-06, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.205
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v6.11.204
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-06-05, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.203
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (jinglin.tan) on 2026-06-05, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.202
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-06-04, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.201
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (jinglin.tan) on 2026-06-04, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.200
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.111
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2026-06-04, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.110
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.109
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.108
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (ah-sc) on 2026-06-02, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.107
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (ah-sc) on 2026-06-01, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.106
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-30, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.105
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.104
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.103
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.102
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.101
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.100
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.99
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.98
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.97
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.96
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.95
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.94
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-27, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.93
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zhiwei.wang.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zhiwei.wang) than the most recent previously approved version (zsj1037797769) on 2026-05-27, but zhiwei.wang is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.92
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-26, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.91
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.90
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-25, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.89
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-22, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.88
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-22, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.87
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.86
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.85
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.84
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.83
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.74
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.58
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.49
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.11.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.44
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.42
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.37
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.