@pisell/materials
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): lucide-react is a declared runtime dep; phantom-dep heuristic false positive for this package. | ai | |
| source-diff | obfuscated-file:build/lowcode/render/default/async/view.js | AI (source-diff): Identical webpack bundle pattern; minified build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/lowcode/async/view.js | AI (source-diff): Standard webpack bundle output; readable AWS SDK serialization code, not obfuscation. | ai | |
| provenance | missing-githead | AI (provenance): Mature, high-volume package with known maintainer; missing gitHead is a CI environment change, not a malware signal. | ai | |
| source-diff | obfuscated-file:es/components/PisellContactBrief/components/ContactFormModal.js | AI (source-diff): Standard Babel/regenerator transpiled output; not malicious obfuscation for this component library. | ai | |
| source-diff | obfuscated-file:es/components/PisellCards/components/GraphicTextCard/GraphicTextCard.stories.js | AI (source-diff): Standard Babel/regenerator transpiled output; not malicious obfuscation for this component library. | ai | |
| source-diff | obfuscated-file:es/components/hardwareErrorTip/demo.js | AI (source-diff): Babel/regenerator-runtime transpiler output, not obfuscation; stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All three new deps are established React ecosystem packages; no malware indicators. | ai | |
| source-diff | obfuscated-file:build/lowcode/render/default/1.js | AI (source-diff): Standard webpack bundle output (webpackJsonpBaseMaterials); minified build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/lowcode/3.js | AI (source-diff): Standard webpack bundle output (webpackJsonpBaseMaterials); minified build artifact, not malicious obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker for established packages. | ai | |
| source-diff | obfuscated-file:es/components/pisellToast/squareToast/renderImperatively.js | AI (source-diff): Babel-transpiled output (regenerator-runtime); standard build artifact, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Active UI component library with 1644 versions; incremental source file additions are expected and consistent with its release history. | ai | |
| source-diff | obfuscated-file:es/components/dataSourceComponents/dataSourceForm/urlUtils.js | AI (source-diff): File is Babel-transpiled ES module output (contains regenerator-runtime MIT header, @babel/helpers patterns). Long lines are a build artifact, not obfuscation. This package ships compiled ES modules as its distribution format. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established internal component library (1627 versions); minimal metadata is consistent with organizational tooling, not spam. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendar.js | AI (source-diff): File contains standard Babel-transpiled ES5 output (canonical helpers: _typeof, _objectSpread, _regeneratorRuntime). Long lines are minified compiled output, not malicious obfuscation. Normal for a React component library shipping compiled artifacts. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendarDemo.js | AI (source-diff): File contains standard Babel-transpiled/bundled React component output with recognizable helpers (regeneratorRuntime, _typeof). Long lines are from bundling, not intentional obfuscation. Consistent with this UI component library's build pattern. | ai | |
| dependencies | unvetted-dep:@react-spring/web | AI (dependencies): @react-spring/web is a well-known, widely-used React animation library. Its use in a UI component library is expected and benign. | ai | |
| phantom-deps | phantom-dep:antd-mobile | AI (phantom-deps): antd-mobile is a legitimate declared dependency referenced in config files; phantom-dep finding is a packaging style issue, not a security concern. | ai |
Versions (showing 100 of 169)
| Version | Deps | Published |
|---|---|---|
| 6.11.206 | 30 / 45 | |
| 6.11.205 | 30 / 45 | |
| 6.11.204 | 30 / 45 | |
| 6.11.203 | 30 / 45 | |
| 6.11.202 | 30 / 45 | |
| 6.11.201 | 30 / 45 | |
| 6.11.200 | 30 / 45 | |
| 6.11.111 | 30 / 45 | |
| 6.11.110 | 30 / 45 | |
| 6.11.109 | 30 / 45 | |
| 6.11.108 | 30 / 45 | |
| 6.11.107 | 30 / 45 | |
| 6.11.106 | 30 / 45 | |
| 6.11.105 | 30 / 45 | |
| 6.11.104 | 30 / 45 | |
| 6.11.103 | 30 / 45 | |
| 6.11.102 | 30 / 45 | |
| 6.11.101 | 30 / 45 | |
| 6.11.100 | 30 / 45 | |
| 6.11.99 | 30 / 45 | |
| 6.11.98 | 30 / 45 | |
| 6.11.97 | 30 / 45 | |
| 6.11.96 | 30 / 45 | |
| 6.11.95 | 30 / 45 | |
| 6.11.94 | 30 / 45 | |
| 6.11.93 | 30 / 45 | |
| 6.11.92 | 30 / 45 | |
| 6.11.91 | 30 / 45 | |
| 6.11.90 | 30 / 45 | |
| 6.11.89 | 30 / 45 | |
| 6.11.88 | 30 / 45 | |
| 6.11.87 | 30 / 45 | |
| 6.11.86 | 30 / 45 | |
| 6.11.85 | 30 / 45 | |
| 6.11.84 | 30 / 45 | |
| 6.11.83 | 30 / 45 | |
| 6.11.74 | 30 / 45 | |
| 6.11.72 | 30 / 45 | |
| 6.11.58 | 30 / 45 | |
| 6.11.50 | 30 / 45 | |
| 6.11.49 | 30 / 45 | |
| 6.11.48 | 30 / 45 | |
| 6.11.47 | 30 / 45 | |
| 6.11.46 | 30 / 45 | |
| 6.11.45 | 30 / 45 | |
| 6.11.44 | 30 / 45 | |
| 6.11.42 | 30 / 45 | |
| 6.11.41 | 30 / 45 | |
| 6.11.39 | 30 / 45 | |
| 6.11.38 | 30 / 45 | |
| 6.11.37 | 31 / 45 | |
| 6.11.36 | 31 / 45 | |
| 6.11.35 | 31 / 45 | |
| 6.11.34 | 31 / 45 | |
| 6.11.33 | 31 / 45 | |
| 6.11.32 | 31 / 45 | |
| 6.11.31 | 31 / 45 | |
| 6.11.30 | 31 / 45 | |
| 6.11.29 | 31 / 45 | |
| 6.11.28 | 31 / 45 | |
| 6.11.27 | 31 / 45 | |
| 6.11.20 | 30 / 41 | |
| 6.11.19 | 30 / 41 | |
| 6.11.18 | 30 / 41 | |
| 6.11.3 | 29 / 41 | |
| 6.11.2 | 29 / 41 | |
| 6.11.1 | 29 / 41 | |
| 6.9.5 | 29 / 41 | |
| 6.8.19 | 29 / 40 | |
| 6.8.18 | 29 / 40 | |
| 6.8.17 | 29 / 40 | |
| 6.8.13 | 29 / 40 | |
| 6.6.16 | 29 / 24 | |
| 6.6.1 | 29 / 24 | |
| 6.5.9 | 29 / 24 | |
| 6.5.8 | 29 / 24 | |
| 6.5.7 | 29 / 24 | |
| 6.4.17 | 29 / 24 | |
| 6.4.16 | 29 / 24 | |
| 6.4.15 | 29 / 24 | |
| 6.4.14 | 29 / 24 | |
| 6.4.8 | 28 / 24 | |
| 6.4.7 | 28 / 24 | |
| 6.3.42 | 27 / 45 | |
| 6.3.41 | 27 / 45 | |
| 6.3.40 | 27 / 45 | |
| 6.3.38 | 27 / 45 | |
| 6.3.31 | 26 / 41 | |
| 6.3.30 | 26 / 41 | |
| 6.3.29 | 26 / 41 | |
| 6.3.24 | 26 / 40 | |
| 6.3.22 | 26 / 24 | |
| 6.3.11 | 26 / 24 | |
| 6.3.9 | 26 / 24 | |
| 6.3.8 | 26 / 24 | |
| 6.3.4 | 25 / 24 | |
| 6.3.3 | 25 / 24 | |
| 6.3.1 | 25 / 24 | |
| 6.2.40 | 28 / 24 | |
| 6.2.39 | 27 / 24 |
v6.11.206
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-06-06, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.205
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v6.11.204
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-06-05, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.203
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (jinglin.tan) on 2026-06-05, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.202
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-06-04, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.201
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (jinglin.tan) on 2026-06-04, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.200
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.111
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2026-06-04, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.110
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.109
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.108
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (ah-sc) on 2026-06-02, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.107
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (ah-sc) on 2026-06-01, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.106
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-30, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.105
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.104
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.103
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.102
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.101
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.100
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.99
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.98
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.97
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.96
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.95
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.94
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-27, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.93
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zhiwei.wang.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zhiwei.wang) than the most recent previously approved version (zsj1037797769) on 2026-05-27, but zhiwei.wang is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.92
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-26, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.91
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.90
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-25, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.89
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-22, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.88
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-22, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.11.87
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.86
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.85
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.84
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.83
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.74
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.58
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.49
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.11.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.44
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.42
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.37
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.34
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.29
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.28
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.11.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2025-10-31, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.5.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2025-10-30, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.5.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2025-10-30, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.4.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (zhiwei.wang) on 2025-11-07, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.