@pisell/private-materials
pisell前端使用的私有物料
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:es/components/booking/utils/confirmHolderModal.js | AI (source-diff): Standard Babel/regenerator compiled output; long-line minification is expected for this component library. | ai | |
| source-diff | obfuscated-file:es/components/pay/toB/store/hooks.js | AI (source-diff): Same Babel compiled pattern; not obfuscation, just minified build output. | ai | |
| source-diff | obfuscated-file:es/components/venueBooking/context.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/venueBooking/hooks.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/scanOrder/hooks.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/venueBooking/components/VenueSelection/components/DateNavigator.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/scanOrder/context.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/eftpos/PairModal/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/pet/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/header/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/clientVariant/vertical/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/client/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/pisellReservation/components/blockTimeModal/demo.js | AI (source-diff): Standard Babel transpile output with regenerator-runtime; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/hosts/BookingEditHostRenderer.js | AI (source-diff): Standard Babel/regenerator transpiled output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/utils/assignHolderToCartLine.js | AI (source-diff): Standard Babel/regenerator transpiled output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/utils/addProductWithFlowDebounced.js | AI (source-diff): Standard Babel/regenerator transpiled output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:es/components/pay/toC/PaymentMethods/components/MiniProgramWaitingPaymentModal/3dsPayment.js | AI (source-diff): Standard Babel/regenerator-runtime transpiled output; consistent with this package's compiled React component library pattern. | ai | |
| source-diff | obfuscated-file:es/plus/pisellReservation/data/bookingCalendarMoveIntegration.js | AI (source-diff): Standard Babel/regenerator-runtime transpiled output; consistent with this package's compiled React component library pattern. | ai | |
| source-diff | obfuscated-file:es/plus/saleDetail/components/CartItems/index.js | AI (source-diff): Babel-transpiled output, not obfuscation; stable pattern for this component library. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/DemoTabDetail.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saleDetail/components/SaleOverview/index.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saleDetail/components/ButtonActions/index.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/DemoStepRunner.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/utils/buildDefaultLoadProductsParams.js | AI (source-diff): Babel-transpiled output with regenerator-runtime helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/bookingEditService/BookingEditServiceDrawer.js | AI (source-diff): Babel-transpiled output with regenerator-runtime helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/buildSteps.js | AI (source-diff): Babel-transpiled output with standard helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/CartPanel.js | AI (source-diff): Babel-transpiled output with regenerator-runtime helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/components/AddDeviceModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/serve.js | AI (source-diff): Standard Babel-compiled output consistent with rest of package build pipeline. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/serve.js | AI (source-diff): Standard Babel-compiled output consistent with rest of package build pipeline. | ai | |
| source-diff | obfuscated-file:lib/plus/saasDevice/devicePlanning/components/DeviceDetailDrawer/index.js | AI (source-diff): Standard esbuild CJS bundle output with clear source comments; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/components/ProfileSetting/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/components/CreateProfileModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/components/WorkAreaModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/components/EditDeviceModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/pay/toC/PaymentMethods/StripePay/Stripe/StripeSDK/DynamicSDK.js | AI (source-diff): Standard Babel-transpiled output for Stripe SDK loader; minified helpers are expected build artifacts, not obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): react-zoom-pan-pinch is a legitimate, widely-used React library; no risk signal. | ai | |
| phantom-deps | phantom-dep:react-zoom-pan-pinch | AI (phantom-deps): Declared as runtime dep; phantom-dep heuristic fires on config-only references, stable FP for this package. | ai | |
| provenance | missing-githead | AI (provenance): High-volume package with frequent releases; missing gitHead reflects CI change, not malicious intent. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/core | AI (phantom-deps): Declared dependency used via re-exports; stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:@pisell/date-picker | AI (phantom-deps): Monorepo internal dependency; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/utilities | AI (phantom-deps): Declared dependency used via re-exports; stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/sortable | AI (phantom-deps): Declared dependency used via re-exports; stable pattern for this component library. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in a rule/expression evaluator with comment noting it replaces eval; not exfiltration. | ai | |
| phantom-deps | phantom-dep:styled-components | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:react-infinite-scroll-component | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/modifiers | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:rc-virtual-list | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:react-resizable | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai |
Versions (showing 51 of 327)
| Version | Deps | Published |
|---|---|---|
| 1.8.186 | 20 / 28 | |
| 1.8.184 | 20 / 28 | |
| 1.8.183 | 20 / 28 | |
| 1.8.181 | 20 / 28 | |
| 1.8.180 | 20 / 28 | |
| 1.8.179 | 20 / 28 | |
| 1.8.177 | 20 / 35 | |
| 1.8.176 | 20 / 35 | |
| 1.8.175 | 20 / 35 | |
| 1.8.174 | 20 / 35 | |
| 1.8.170 | 20 / 35 | |
| 1.8.169 | 20 / 35 | |
| 1.8.168 | 20 / 35 | |
| 1.8.166 | 20 / 35 | |
| 1.1.2314 | 21 / 37 | |
| 1.1.2313 | 21 / 37 | |
| 1.1.2312 | 21 / 37 | |
| 1.1.2311 | 21 / 37 | |
| 1.1.2309 | 21 / 37 | |
| 1.1.2307 | 21 / 37 | |
| 1.1.2305 | 21 / 37 | |
| 1.1.2303 | 21 / 37 | |
| 1.1.2296 | 21 / 37 | |
| 1.1.2295 | 21 / 37 | |
| 1.1.2294 | 21 / 37 | |
| 1.1.2293 | 21 / 37 | |
| 1.1.2292 | 21 / 37 | |
| 1.1.2291 | 21 / 37 | |
| 1.1.2289 | 21 / 37 | |
| 1.1.2288 | 21 / 37 | |
| 1.1.2287 | 21 / 37 | |
| 1.1.2286 | 21 / 37 | |
| 1.1.2285 | 21 / 37 | |
| 1.1.2284 | 21 / 37 | |
| 1.1.2283 | 21 / 37 | |
| 1.1.2282 | 21 / 37 | |
| 1.1.2281 | 21 / 37 | |
| 1.1.2280 | 21 / 37 | |
| 1.1.2272 | 20 / 37 | |
| 1.1.2269 | 20 / 37 | |
| 1.1.2264 | 20 / 37 | |
| 1.1.2263 | 20 / 37 | |
| 1.1.2252 | 20 / 37 | |
| 1.1.2242 | 20 / 37 | |
| 1.1.2241 | 20 / 37 | |
| 1.1.2239 | 20 / 37 | |
| 1.1.2237 | 20 / 37 | |
| 1.1.2226 | 20 / 37 | |
| 1.1.2225 | 20 / 37 | |
| 1.1.2219 | 20 / 37 | |
| 1.1.2091 | 20 / 37 |
v1.8.186
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-27, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.184
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (jinglin.tan) on 2026-05-26, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.183
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (jinglin.tan) on 2026-05-26, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.181
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (jinglin.tan) on 2026-05-26, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.180
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-26, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.179
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-26, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.177
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-25, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.176
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-24, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.175
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-24, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.174
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-23, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.170
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.169
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-22, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.168
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-22, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.166
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ah-sc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-05-21, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.2314
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.1.2313
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.1.2312
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2311
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2309
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.1.2307
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.1.2305
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.1.2303
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.1.2296
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2295
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: wang_han.
v1.1.2294
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: wang_han.
v1.1.2293
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: wang_han.
This version was published by a different npm account (wang_han) than the most recent previously approved version (jinglin.tan) on 2026-06-12, but wang_han is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.2292
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
v1.1.2291
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2289
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2288
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2287
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2286
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2285
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2284
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2283
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2282
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2281
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2280
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2272
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2269
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2264
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2263
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2252
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2242
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2241
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2239
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2237
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2226
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.2225
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.2219
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.