@platejs/core
The core of Plate – a plugin system for slate
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-DI914-MZ.d.ts | AI (source-diff): Bundled .d.ts with long type lines; standard for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/index-CzeldSJ_.d.ts | AI (source-diff): Bundled .d.ts type declaration file with long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-BKWxgNDY.d.ts | AI (source-diff): Bundled .d.ts type declarations with long lines; not obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/index-nqM93PaB.d.ts | AI (source-diff): This is a bundled TypeScript declaration (.d.ts) file with long type lines — a normal artifact of dts-bundle tools. Content is clearly readable type declarations, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/index-Tdbf0brw.d.ts | AI (source-diff): This is a bundled TypeScript declaration file (.d.ts) with long lines from concatenated type definitions — a known artifact of bundled type generation tools. Not executable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index-DQNhrsYY.d.ts | AI (source-diff): This is a bundled TypeScript declaration file (.d.ts) generated by rollup/build tooling. Long lines are concatenated type declarations, not obfuscated executable code. Pattern is stable for this build system. | ai | |
| source-diff | obfuscated-file:dist/index-Cyaepq17.d.ts | AI (source-diff): The file is a bundled TypeScript declaration file (.d.ts) with long lines due to concatenated type exports — a standard bundler output pattern. Content is fully readable type definitions, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/index-fWbbXP_V.d.ts | AI (source-diff): This is a bundled TypeScript declaration (.d.ts) file with long lines from concatenated type definitions — standard build output for a TypeScript library, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-C_dX5pVW.d.ts | AI (source-diff): This is a bundled TypeScript declaration file (.d.ts) with long lines from concatenated type exports — standard output from modern bundlers (Rollup/tsup). No executable code, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-BIE0v10I.d.ts | AI (source-diff): Bundled TypeScript declaration file with long lines from concatenated type definitions — standard tsup/Rollup .d.ts bundle output, not obfuscated executable code. Stable false positive for this package's build tooling. | ai | |
| source-diff | obfuscated-file:dist/index-DbJkM3Px.d.ts | AI (source-diff): This is a bundled TypeScript declaration file (.d.ts) with long lines from concatenated type definitions — a normal build artifact for this library, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-FYulEVBw.d.ts | AI (source-diff): This is a bundled TypeScript declaration (.d.ts) file. Long lines are a known artifact of declaration bundlers (e.g. rollup-plugin-dts). Content is readable type declarations, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/index-BscfkX3S.d.ts | AI (source-diff): The flagged file is a bundled TypeScript declaration (.d.ts) file with long lines from concatenated type definitions — not executable code. This is a standard artifact of rollup-based type bundling for this package. | ai | |
| dependencies | unvetted-dep:@udecode/react-hotkeys | AI (dependencies): Same-org hotkeys package from udecode/plate monorepo; legitimate internal dependency. | ai | |
| phantom-deps | phantom-dep:zustand | AI (phantom-deps): Common monorepo pattern; zustand is re-exported or used transitively, not a security concern. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @platejs/core is a scoped package for the Plate rich-text editor framework; the name derives from 'Plate JS', not from 'cors'. No impersonation risk. | ai | |
| phantom-deps | phantom-dep:slate-dom | AI (phantom-deps): Common monorepo pattern; slate-dom is referenced in config/type files, not a security concern. | ai | |
| phantom-deps | phantom-dep:optics-ts | AI (phantom-deps): Common monorepo pattern; optics-ts is referenced in config/type files, not a security concern. | ai | |
| dependencies | unvetted-dep:slate | AI (dependencies): slate is the foundational editor primitive this package is built on; a core, legitimate dependency. | ai | |
| dependencies | unvetted-dep:slate-react | AI (dependencies): slate-react is the official React binding for Slate; a core, legitimate dependency. | ai | |
| dependencies | unvetted-dep:slate-dom | AI (dependencies): slate-dom is part of the Slate ecosystem; a core, legitimate dependency. | ai | |
| dependencies | unvetted-dep:jotai-x | AI (dependencies): jotai-x is a well-known jotai extension; legitimate state management dependency. | ai | |
| dependencies | unvetted-dep:jotai-optics | AI (dependencies): jotai-optics is a standard jotai integration package; legitimate dependency. | ai | |
| dependencies | unvetted-dep:optics-ts | AI (dependencies): optics-ts is an established TypeScript optics library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:zustand-x | AI (dependencies): zustand-x is a zustand extension; legitimate state management dependency. | ai | |
| dependencies | unvetted-dep:is-hotkey | AI (dependencies): is-hotkey is a well-known keyboard shortcut utility; legitimate dependency. | ai | |
| dependencies | unvetted-dep:use-deep-compare | AI (dependencies): use-deep-compare is a well-known React hook utility; legitimate dependency. | ai | |
| dependencies | unvetted-dep:@platejs/slate | AI (dependencies): Same-org monorepo package; legitimate internal dependency. | ai | |
| dependencies | unvetted-dep:@udecode/utils | AI (dependencies): Same-org utility package from udecode/plate monorepo; legitimate internal dependency. | ai | |
| dependencies | unvetted-dep:@udecode/react-utils | AI (dependencies): Same-org utility package from udecode/plate monorepo; legitimate internal dependency. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 53.0.7 | 21 / 2 | |
| 53.0.6 | 21 / 2 | |
| 53.0.5 | 21 / 2 | |
| 53.0.0 | 21 / 2 | |
| 52.3.21 | 21 / 2 | |
| 52.3.16 | 21 / 2 | |
| 52.3.15 | 21 / 2 | |
| 52.3.13 | 21 / 2 | |
| 52.3.12 | 21 / 2 | |
| 52.3.9 | 21 / 2 | |
| 52.3.4 | 21 / 2 | |
| 52.3.3 | 21 / 11 | |
| 52.0.17 | 21 / 0 | |
| 52.0.15 | 21 / 0 | |
| 52.0.11 | 21 / 0 | |
| 52.0.10 | 20 / 0 | |
| 52.0.8 | 20 / 0 | |
| 52.0.1 | 20 / 0 | |
| 52.0.0 | 20 / 0 | |
| 51.1.3 | 20 / 0 | |
| 51.1.2 | 20 / 0 |
v53.0.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v53.0.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v53.0.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v53.0.0
2 findingsPackage name '@platejs/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v52.3.21
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.3.16
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.3.15
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.3.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v52.3.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v52.3.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v52.3.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.3.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.0.17
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.0.15
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.0.11
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.0.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.0.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.0.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v52.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v51.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v51.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.