@pisell/private-materials
pisell前端使用的私有物料
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:es/components/booking/utils/confirmHolderModal.js | AI (source-diff): Standard Babel/regenerator compiled output; long-line minification is expected for this component library. | ai | |
| source-diff | obfuscated-file:es/components/pay/toB/store/hooks.js | AI (source-diff): Same Babel compiled pattern; not obfuscation, just minified build output. | ai | |
| source-diff | obfuscated-file:es/components/venueBooking/context.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/venueBooking/hooks.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/scanOrder/hooks.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/venueBooking/components/VenueSelection/components/DateNavigator.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/scanOrder/context.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/eftpos/PairModal/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/pet/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/header/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/clientVariant/vertical/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/booking/info2/client/index.js | AI (source-diff): Standard Babel-transpiled React output; regenerator-runtime boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/pisellReservation/components/blockTimeModal/demo.js | AI (source-diff): Standard Babel transpile output with regenerator-runtime; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/hosts/BookingEditHostRenderer.js | AI (source-diff): Standard Babel/regenerator transpiled output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/utils/assignHolderToCartLine.js | AI (source-diff): Standard Babel/regenerator transpiled output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/utils/addProductWithFlowDebounced.js | AI (source-diff): Standard Babel/regenerator transpiled output; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:es/components/pay/toC/PaymentMethods/components/MiniProgramWaitingPaymentModal/3dsPayment.js | AI (source-diff): Standard Babel/regenerator-runtime transpiled output; consistent with this package's compiled React component library pattern. | ai | |
| source-diff | obfuscated-file:es/plus/pisellReservation/data/bookingCalendarMoveIntegration.js | AI (source-diff): Standard Babel/regenerator-runtime transpiled output; consistent with this package's compiled React component library pattern. | ai | |
| source-diff | obfuscated-file:es/plus/saleDetail/components/CartItems/index.js | AI (source-diff): Babel-transpiled output, not obfuscation; stable pattern for this component library. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/DemoTabDetail.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saleDetail/components/SaleOverview/index.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saleDetail/components/ButtonActions/index.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/DemoStepRunner.js | AI (source-diff): Babel-transpiled output with standard helpers; not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/utils/buildDefaultLoadProductsParams.js | AI (source-diff): Babel-transpiled output with regenerator-runtime helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/bookingEditService/BookingEditServiceDrawer.js | AI (source-diff): Babel-transpiled output with regenerator-runtime helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/buildSteps.js | AI (source-diff): Babel-transpiled output with standard helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/salesSdk/demo/components/CartPanel.js | AI (source-diff): Babel-transpiled output with regenerator-runtime helpers, not obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/components/AddDeviceModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/serve.js | AI (source-diff): Standard Babel-compiled output consistent with rest of package build pipeline. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/serve.js | AI (source-diff): Standard Babel-compiled output consistent with rest of package build pipeline. | ai | |
| source-diff | obfuscated-file:lib/plus/saasDevice/devicePlanning/components/DeviceDetailDrawer/index.js | AI (source-diff): Standard esbuild CJS bundle output with clear source comments; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/components/ProfileSetting/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/deviceProfile/components/CreateProfileModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/components/WorkAreaModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/plus/saasDevice/devicePlanning/components/EditDeviceModal/index.js | AI (source-diff): Standard Babel-compiled React component output; not intentional obfuscation. | ai | |
| source-diff | obfuscated-file:es/components/pay/toC/PaymentMethods/StripePay/Stripe/StripeSDK/DynamicSDK.js | AI (source-diff): Standard Babel-transpiled output for Stripe SDK loader; minified helpers are expected build artifacts, not obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): react-zoom-pan-pinch is a legitimate, widely-used React library; no risk signal. | ai | |
| phantom-deps | phantom-dep:react-zoom-pan-pinch | AI (phantom-deps): Declared as runtime dep; phantom-dep heuristic fires on config-only references, stable FP for this package. | ai | |
| provenance | missing-githead | AI (provenance): High-volume package with frequent releases; missing gitHead reflects CI change, not malicious intent. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/core | AI (phantom-deps): Declared dependency used via re-exports; stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:@pisell/date-picker | AI (phantom-deps): Monorepo internal dependency; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/utilities | AI (phantom-deps): Declared dependency used via re-exports; stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/sortable | AI (phantom-deps): Declared dependency used via re-exports; stable pattern for this component library. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in a rule/expression evaluator with comment noting it replaces eval; not exfiltration. | ai | |
| phantom-deps | phantom-dep:styled-components | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:react-infinite-scroll-component | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/modifiers | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:rc-virtual-list | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:react-resizable | AI (phantom-deps): Declared runtime dep in a component library; likely re-exported or used indirectly. | ai |
Versions (showing 100 of 318)
| Version | Deps | Published |
|---|---|---|
| 6.3.4 | 18 / 22 | |
| 6.3.3 | 18 / 22 | |
| 6.3.2 | 18 / 22 | |
| 6.3.1 | 18 / 22 | |
| 6.2.51 | 18 / 22 | |
| 6.2.50 | 18 / 22 | |
| 6.2.49 | 18 / 22 | |
| 6.2.48 | 18 / 22 | |
| 6.2.47 | 18 / 22 | |
| 6.2.46 | 18 / 22 | |
| 6.2.45 | 18 / 22 | |
| 6.2.44 | 18 / 22 | |
| 6.2.42 | 18 / 22 | |
| 6.2.41 | 18 / 22 | |
| 6.2.40 | 18 / 22 | |
| 6.2.39 | 18 / 22 | |
| 6.2.38 | 18 / 22 | |
| 6.2.37 | 18 / 22 | |
| 6.2.36 | 18 / 22 | |
| 6.2.35 | 18 / 22 | |
| 6.2.34 | 18 / 22 | |
| 6.2.33 | 18 / 22 | |
| 6.2.32 | 18 / 22 | |
| 6.2.31 | 18 / 22 | |
| 6.2.30 | 18 / 22 | |
| 6.2.29 | 18 / 22 | |
| 6.2.28 | 18 / 22 | |
| 6.2.27 | 18 / 22 | |
| 6.2.26 | 18 / 22 | |
| 6.2.25 | 18 / 22 | |
| 6.2.24 | 18 / 22 | |
| 6.2.23 | 18 / 22 | |
| 6.2.22 | 18 / 22 | |
| 6.2.21 | 18 / 22 | |
| 6.2.20 | 18 / 22 | |
| 6.2.19 | 18 / 22 | |
| 6.2.18 | 18 / 22 | |
| 6.2.17 | 18 / 22 | |
| 6.2.16 | 18 / 22 | |
| 6.2.15 | 18 / 22 | |
| 6.2.14 | 18 / 22 | |
| 6.2.13 | 18 / 22 | |
| 6.2.12 | 18 / 22 | |
| 6.2.11 | 18 / 22 | |
| 6.2.10 | 18 / 22 | |
| 6.2.9 | 18 / 22 | |
| 6.2.8 | 18 / 22 | |
| 6.2.7 | 18 / 22 | |
| 6.2.6 | 18 / 22 | |
| 6.2.5 | 18 / 22 | |
| 6.2.4 | 18 / 22 | |
| 6.2.3 | 18 / 22 | |
| 6.2.2 | 18 / 22 | |
| 6.2.1 | 18 / 22 | |
| 6.1.37 | 18 / 22 | |
| 6.1.36 | 18 / 22 | |
| 6.1.35 | 18 / 22 | |
| 6.1.34 | 18 / 22 | |
| 6.1.33 | 18 / 22 | |
| 6.1.32 | 18 / 22 | |
| 6.1.31 | 18 / 22 | |
| 6.1.30 | 18 / 22 | |
| 6.1.29 | 18 / 22 | |
| 6.1.28 | 18 / 22 | |
| 6.1.27 | 18 / 22 | |
| 6.1.26 | 18 / 22 | |
| 6.1.25 | 18 / 22 | |
| 6.1.24 | 18 / 22 | |
| 6.1.23 | 18 / 22 | |
| 6.1.22 | 18 / 22 | |
| 6.1.21 | 18 / 22 | |
| 6.1.20 | 18 / 22 | |
| 6.1.19 | 18 / 22 | |
| 6.1.18 | 18 / 22 | |
| 6.1.17 | 18 / 22 | |
| 6.1.16 | 18 / 22 | |
| 6.1.15 | 18 / 22 | |
| 6.1.14 | 18 / 22 | |
| 6.1.13 | 18 / 22 | |
| 6.1.12 | 18 / 22 | |
| 6.1.11 | 18 / 22 | |
| 6.1.10 | 18 / 22 | |
| 6.1.9 | 18 / 22 | |
| 6.1.8 | 18 / 22 | |
| 6.1.7 | 18 / 22 | |
| 6.1.6 | 18 / 22 | |
| 6.1.5 | 18 / 22 | |
| 6.1.4 | 18 / 22 | |
| 6.1.3 | 18 / 22 | |
| 6.1.2 | 18 / 22 | |
| 6.1.1 | 18 / 22 | |
| 3.4.112 | 21 / 37 | |
| 3.4.110 | 21 / 37 | |
| 3.4.102 | 20 / 37 | |
| 3.4.100 | 20 / 37 | |
| 3.4.96 | 20 / 37 | |
| 2.0.547 | 21 / 37 | |
| 1.8.189 | 20 / 28 | |
| 1.8.188 | 20 / 28 | |
| 1.8.187 | 20 / 28 |
v6.3.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.51
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.50
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.49
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.48
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.47
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.46
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.45
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.44
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.41
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.112
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ah-sc) than the most recent previously approved version (jinglin.tan) on 2026-06-09, but ah-sc is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.4.110
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (jinglin.tan) on 2026-06-04, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.4.102
13 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
This version was published by a different npm account than previous versions on 2026-05-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.100
13 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jinglin.tan.
This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.96
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.547
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (jinglin.tan) on 2026-06-08, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.189
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (jinglin.tan) on 2026-06-11, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.188
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (jinglin.tan) on 2026-06-11, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.8.187
8 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xiangfeng.xue.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (xiangfeng.xue) than the most recent previously approved version (jinglin.tan) on 2026-05-29, but xiangfeng.xue is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.