@platforma-open/milaboratories.top-antibodies.ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/assets/index-D5FdnebS.js | AI (source-diff): Network calls are Vite modulepreload fetch; no malicious exec pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D5FdnebS.js | AI (source-diff): Standard Vite minified bundle output; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-DIfsS3BR.js | AI (source-diff): fetch() calls are Vite modulepreload polyfill; benign browser UI pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DIfsS3BR.js | AI (source-diff): Standard Vite-minified browser bundle; __vite__mapDeps pattern confirms build tool output. | ai | |
| source-diff | net-exec-file:dist/assets/index-CxSOEyIg.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic module loading are normal Vite browser bundle patterns for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CxSOEyIg.js | AI (source-diff): Standard Vite-minified browser bundle; minification is expected for this UI package across all versions. | ai | |
| source-diff | net-exec-file:dist/assets/index-DuUZ0kpK.js | AI (source-diff): Network calls are modulepreload fetch polyfill; no dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DuUZ0kpK.js | AI (source-diff): Standard Vite-minified frontend bundle; minification is expected for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BhPC1TWR.js | AI (source-diff): Standard Vite-minified browser entry point; content is recognizable Vue/platforma SDK code. | ai | |
| source-diff | net-exec-file:dist/assets/index-BhPC1TWR.js | AI (source-diff): Network calls are Vite modulepreload fetch(); no dropper pattern present. | ai | |
| source-diff | net-exec-file:dist/assets/index-Bmq0gf4i.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic imports are normal in Vite browser bundles for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Bmq0gf4i.js | AI (source-diff): Standard Vite-minified browser bundle; Vite __vite__mapDeps header confirms legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-ChXfHs_W.js | AI (source-diff): Standard Vite-minified browser bundle; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/index-ChXfHs_W.js | AI (source-diff): fetch() is Vite modulepreload polyfill; no malicious network+exec pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-BM_LpIEX.js | AI (source-diff): Standard Vite-minified browser bundle; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/assets/dist-BM_LpIEX.js | AI (source-diff): fetch() is Vite modulepreload polyfill; no malicious network+exec pattern. | ai | |
| source-diff | net-exec-file:dist/assets/index-B7GNgG9G.js | AI (source-diff): Network calls are fetch() for modulepreload polyfill; no dynamic code execution beyond normal JS module loading. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-UOUHKGkm.js | AI (source-diff): Standard Vite-minified browser bundle; minification is expected for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/dist-UOUHKGkm.js | AI (source-diff): Network calls are fetch() for modulepreload polyfill; no dynamic code execution beyond normal JS module loading. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B7GNgG9G.js | AI (source-diff): Standard Vite-minified browser bundle; minification is expected for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/index-gSXQS8zk.js | AI (source-diff): Network calls (fetch for modulepreload) and dynamic imports are normal Vite browser bundle patterns for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-gSXQS8zk.js | AI (source-diff): Standard Vite-minified browser bundle; long lines are expected minification output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/index-zPw0J5An.js | AI (source-diff): Network calls are Vite modulepreload fetch; no dynamic code execution beyond normal browser module loading. | ai | |
| source-diff | obfuscated-file:dist/assets/index-zPw0J5An.js | AI (source-diff): Vite-minified browser bundle; standard build output for this UI package across all versions. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BwXMkLl_.js | AI (source-diff): Vite-bundled browser UI asset; minification is expected for this package. | ai | |
| source-diff | net-exec-file:dist/assets/index-BwXMkLl_.js | AI (source-diff): fetch() in Vite bundle is standard modulepreload polyfill, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/assets/index-CW48cmvE.js | AI (source-diff): fetch() is Vite's modulepreload polyfill; no dropper behavior present. Stable false positive for this UI bundle package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CW48cmvE.js | AI (source-diff): Standard Vite-minified browser bundle; minification is expected for this UI package across all versions. | ai | |
| phantom-deps | phantom-dep:@milaboratories/graph-maker | AI (phantom-deps): Internal org package; phantom-dep heuristic unreliable for bundled UI packages. | ai | |
| phantom-deps | phantom-dep:@milaboratories/strings | AI (phantom-deps): Internal org package referenced in config; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@types/lodash.debounce | AI (phantom-deps): Type-only package; not directly imported in source by design. | ai | |
| phantom-deps | phantom-dep:lodash.debounce | AI (phantom-deps): Utility loaded via framework convention; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:sass-embedded | AI (phantom-deps): Build-time CSS preprocessor; referenced in vite/build config, not imported directly in source. | ai | |
| phantom-deps | phantom-dep:@milaboratories/multi-sequence-alignment | AI (phantom-deps): Internal org package; phantom-dep heuristic unreliable for bundled UI packages. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 4.2.0 | 10 / 7 | |
| 4.1.5 | 10 / 7 | |
| 4.1.3 | 10 / 7 | |
| 4.1.2 | 10 / 7 | |
| 4.1.1 | 10 / 7 | |
| 4.1.0 | 10 / 7 | |
| 4.0.3 | 10 / 7 | |
| 4.0.2 | 10 / 7 | |
| 4.0.1 | 10 / 7 | |
| 4.0.0 | 10 / 7 | |
| 3.0.7 | 10 / 7 | |
| 3.0.6 | 10 / 7 | |
| 3.0.5 | 10 / 7 | |
| 3.0.4 | 10 / 7 | |
| 3.0.2 | 10 / 7 | |
| 3.0.1 | 10 / 7 | |
| 3.0.0 | 10 / 7 |
v4.2.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.5
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.3
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.