@pisell/materials
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): lucide-react is a declared runtime dep; phantom-dep heuristic false positive for this package. | ai | |
| source-diff | obfuscated-file:build/lowcode/render/default/async/view.js | AI (source-diff): Identical webpack bundle pattern; minified build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/lowcode/async/view.js | AI (source-diff): Standard webpack bundle output; readable AWS SDK serialization code, not obfuscation. | ai | |
| provenance | missing-githead | AI (provenance): Mature, high-volume package with known maintainer; missing gitHead is a CI environment change, not a malware signal. | ai | |
| source-diff | obfuscated-file:es/components/PisellContactBrief/components/ContactFormModal.js | AI (source-diff): Standard Babel/regenerator transpiled output; not malicious obfuscation for this component library. | ai | |
| source-diff | obfuscated-file:es/components/PisellCards/components/GraphicTextCard/GraphicTextCard.stories.js | AI (source-diff): Standard Babel/regenerator transpiled output; not malicious obfuscation for this component library. | ai | |
| source-diff | obfuscated-file:es/components/hardwareErrorTip/demo.js | AI (source-diff): Babel/regenerator-runtime transpiler output, not obfuscation; stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All three new deps are established React ecosystem packages; no malware indicators. | ai | |
| source-diff | obfuscated-file:build/lowcode/render/default/1.js | AI (source-diff): Standard webpack bundle output (webpackJsonpBaseMaterials); minified build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/lowcode/3.js | AI (source-diff): Standard webpack bundle output (webpackJsonpBaseMaterials); minified build artifact, not malicious obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker for established packages. | ai | |
| source-diff | obfuscated-file:es/components/pisellToast/squareToast/renderImperatively.js | AI (source-diff): Babel-transpiled output (regenerator-runtime); standard build artifact, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Active UI component library with 1644 versions; incremental source file additions are expected and consistent with its release history. | ai | |
| source-diff | obfuscated-file:es/components/dataSourceComponents/dataSourceForm/urlUtils.js | AI (source-diff): File is Babel-transpiled ES module output (contains regenerator-runtime MIT header, @babel/helpers patterns). Long lines are a build artifact, not obfuscation. This package ships compiled ES modules as its distribution format. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established internal component library (1627 versions); minimal metadata is consistent with organizational tooling, not spam. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendar.js | AI (source-diff): File contains standard Babel-transpiled ES5 output (canonical helpers: _typeof, _objectSpread, _regeneratorRuntime). Long lines are minified compiled output, not malicious obfuscation. Normal for a React component library shipping compiled artifacts. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendarDemo.js | AI (source-diff): File contains standard Babel-transpiled/bundled React component output with recognizable helpers (regeneratorRuntime, _typeof). Long lines are from bundling, not intentional obfuscation. Consistent with this UI component library's build pattern. | ai | |
| dependencies | unvetted-dep:@react-spring/web | AI (dependencies): @react-spring/web is a well-known, widely-used React animation library. Its use in a UI component library is expected and benign. | ai | |
| phantom-deps | phantom-dep:antd-mobile | AI (phantom-deps): antd-mobile is a legitimate declared dependency referenced in config files; phantom-dep finding is a packaging style issue, not a security concern. | ai |
Versions (showing 72 of 182)
| Version | Deps | Published |
|---|---|---|
| 6.2.38 | 27 / 24 | |
| 6.2.36 | 27 / 24 | |
| 6.2.26 | 25 / 24 | |
| 6.2.25 | 25 / 24 | |
| 6.2.24 | 25 / 24 | |
| 6.1.5 | 26 / 24 | |
| 6.1.4 | 26 / 24 | |
| 6.1.3 | 25 / 25 | |
| 6.1.2 | 25 / 24 | |
| 6.1.1 | 25 / 24 | |
| 3.3.101 | 27 / 41 | |
| 3.3.100 | 27 / 41 | |
| 3.3.99 | 27 / 41 | |
| 3.3.98 | 27 / 41 | |
| 3.3.97 | 27 / 41 | |
| 3.3.96 | 26 / 41 | |
| 3.3.93 | 26 / 41 | |
| 3.3.91 | 26 / 41 | |
| 3.3.90 | 26 / 41 | |
| 3.3.89 | 26 / 41 | |
| 3.3.79 | 26 / 40 | |
| 3.3.74 | 26 / 24 | |
| 3.3.69 | 26 / 24 | |
| 3.3.68 | 26 / 24 | |
| 3.3.67 | 26 / 24 | |
| 3.3.66 | 26 / 24 | |
| 2.2.131 | 27 / 41 | |
| 2.2.115 | 29 / 24 | |
| 2.2.114 | 29 / 24 | |
| 2.2.113 | 29 / 24 | |
| 2.2.112 | 29 / 24 | |
| 2.2.111 | 29 / 24 | |
| 1.8.60 | 30 / 45 | |
| 1.8.59 | 30 / 45 | |
| 1.8.58 | 30 / 45 | |
| 1.8.57 | 30 / 45 | |
| 1.8.56 | 30 / 45 | |
| 1.8.55 | 30 / 45 | |
| 1.8.54 | 30 / 45 | |
| 1.8.53 | 30 / 45 | |
| 1.8.52 | 30 / 45 | |
| 1.8.51 | 30 / 45 | |
| 1.8.50 | 30 / 45 | |
| 1.8.49 | 30 / 45 | |
| 1.8.48 | 30 / 45 | |
| 1.8.47 | 30 / 45 | |
| 1.8.46 | 30 / 45 | |
| 1.8.40 | 30 / 45 | |
| 1.8.27 | 30 / 41 | |
| 1.8.26 | 30 / 41 | |
| 1.8.23 | 30 / 41 | |
| 1.8.22 | 30 / 41 | |
| 1.8.21 | 30 / 41 | |
| 1.0.1092 | 31 / 42 | |
| 1.0.1091 | 31 / 42 | |
| 1.0.1090 | 31 / 42 | |
| 1.0.1089 | 31 / 42 | |
| 1.0.1088 | 31 / 42 | |
| 1.0.1087 | 31 / 42 | |
| 1.0.1086 | 31 / 42 | |
| 1.0.1085 | 31 / 42 | |
| 1.0.1065 | 30 / 38 | |
| 1.0.1009 | 29 / 37 | |
| 1.0.1008 | 29 / 37 | |
| 1.0.1007 | 29 / 37 | |
| 1.0.1006 | 29 / 37 | |
| 1.0.1005 | 29 / 37 | |
| 1.0.963 | 29 / 24 | |
| 1.0.961 | 29 / 24 | |
| 1.0.960 | 29 / 24 | |
| 1.0.959 | 29 / 24 | |
| 1.0.958 | 29 / 24 |
v6.2.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.101
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-06-10, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.100
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-06-09, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.99
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (zsj1037797769) on 2026-06-04, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.98
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (jinglin.tan) on 2026-06-02, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.97
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-06-02, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.96
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.3.93
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.91
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.90
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.89
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.74
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.69
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.131
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (ah-sc) on 2026-06-08, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.2.115
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zhiwei.wang) on 2025-11-06, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.2.114
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (zsj1037797769) on 2025-11-04, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.2.113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.112
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.111
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.60
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (ah-sc) on 2026-06-11, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.59
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (zsj1037797769) on 2026-05-29, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.58
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-27, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.57
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-26, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.56
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (zsj1037797769) on 2026-05-26, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.55
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-26, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.54
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-26, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.53
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-25, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.52
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-25, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.51
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-23, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.50
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-22, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.49
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-22, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.48
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-22, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.47
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-05-21, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.46
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zsj1037797769) on 2026-05-21, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.22
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (jinglin.tan) on 2026-03-28, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1092
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-06-09, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1091
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.0.1090
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (zsj1037797769) on 2026-06-03, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1089
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (ah-sc) on 2026-06-02, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1088
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (ah-sc) on 2026-06-01, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1087
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (jinglin.tan) than the most recent previously approved version (ah-sc) on 2026-06-01, but jinglin.tan is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1086
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wang_han) than the most recent previously approved version (zsj1037797769) on 2026-05-28, but wang_han is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1085
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wang_han) than the most recent previously approved version (zsj1037797769) on 2026-05-27, but wang_han is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1065
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (yaoxiaojia) than the most recent previously approved version (zsj1037797769) on 2026-03-26, but yaoxiaojia is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.1009
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1008
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1007
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1006
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1005
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.963
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.961
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (zhiwei.wang) on 2025-11-05, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.960
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (zsj1037797769) on 2025-11-04, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.