@public-ui/sample-react
This app contains samples for the KoliBri/Public UI
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/assets/align-floating-elements-D5XJiLiU-zXZxDQ14.js | AI (source-diff): Standard Vite minified bundle output for floating-UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-BWTMRKXT-DNdrT_ZG.js | AI (source-diff): Standard Vite minified bundle output for form field wrapper; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-cavthZ0Z.js | AI (source-diff): Standard Vite minified Stencil web component entry; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-DekcIBGR-BHarHQMH.js | AI (source-diff): Standard Vite minified bundle output for icon controller; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-Bdve6A-Q-DJXtKO7s.js | AI (source-diff): Standard Vite minified bundle output for tooltip controller; not obfuscation. | ai | |
| phantom-deps | phantom-dep:@types/papaparse | AI (phantom-deps): Type-only dev dependency; not imported at runtime, stable false positive. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CDOqc3fS.js | AI (source-diff): Standard Vite minified main bundle with Stencil lazy-loading map; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/component-DvjvBJeK-CF3_1Sjt.js | AI (source-diff): Standard Vite minified bundle output for React component library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-Bagx9pCw-DqWM3RXz.js | AI (source-diff): Standard Vite minified bundle output for Stencil form controller; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-CdEaJGVD-TA6bP8eb.js | AI (source-diff): Standard Vite/Rollup minified build output; legitimate KoliBri component controller code. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-BktVXLSJ.js | AI (source-diff): Standard Vite/Rollup minified Stencil web component entry; legitimate KoliBri button component. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CgT6z77k.js | AI (source-diff): Standard Vite/Rollup minified bundle entry; content matches expected @public-ui/components asset manifest. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper--EBKaIYU-DToVDDsp.js | AI (source-diff): Standard Vite/Rollup minified build output; legitimate KoliBri form field wrapper code. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-By1Ikt1k-B3OuTJ6q.js | AI (source-diff): Standard Vite/Rollup minified build output; legitimate KoliBri icon controller code. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-DGbaInbL-BnpP2JDq.js | AI (source-diff): Standard Vite/Rollup minified build output for a React sample app; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-BZSp_RI6-Bvylzw8k.js | AI (source-diff): Standard Vite minified bundle output; readable form-association logic. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-D6tUCK1u.js | AI (source-diff): Standard Vite minified bundle; button web component logic. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CquGSiSx.js | AI (source-diff): Standard Vite entry bundle listing component chunk paths; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-B9JItGbM-1VJFO30x.js | AI (source-diff): Standard Vite minified bundle; form field state wrapper logic. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-CXI3RZIW-Dq_jN5nA.js | AI (source-diff): Standard Vite minified bundle; UI icon controller logic. | ai | |
| source-diff | obfuscated-file:dist/assets/color-DZ0Ata5E-DUPK6eml.js | AI (source-diff): Standard Vite minified bundle; color utility logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-Iw9vSPIz-CrBzavmT.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-avatar.entry-D6-gitDM.js | AI (source-diff): Minified KoliBri avatar component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-card.entry-D53dab-y.js | AI (source-diff): Minified KoliBri card component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button.entry-BFTTSAi0.js | AI (source-diff): Minified KoliBri button component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-B0MZ9axG.js | AI (source-diff): Minified KoliBri button-wc component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-link.entry-CfqAyUBv.js | AI (source-diff): Minified KoliBri button-link component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-breadcrumb.entry-Dm7LdhUK.js | AI (source-diff): Minified KoliBri breadcrumb component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-badge.entry-BwIYad7r.js | AI (source-diff): Minified KoliBri badge component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-alert.entry-Dss1fjZh.js | AI (source-diff): Minified KoliBri alert component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-accordion.entry-B3q3Iy0c.js | AI (source-diff): Minified KoliBri accordion component; benign. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-abbr.entry-BbgWOVw7.js | AI (source-diff): Minified KoliBri component entry; CSS and component logic only. | ai | |
| source-diff | obfuscated-file:dist/assets/index-hDzmycZM.js | AI (source-diff): Main Vite bundle entry; standard minified output for this UI library. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-BD6_Aq_y-Bt2PU-LJ.js | AI (source-diff): Minified form field wrapper; benign component logic. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-z0j8meAS-C-joMNrP.js | AI (source-diff): Minified icon controller; standard UI component code. | ai | |
| source-diff | obfuscated-file:dist/assets/color-BOIEtqEM-CeIOGeuA.js | AI (source-diff): Minified color utility code; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-B9GDDaFL-C06Z5T1A.js | AI (source-diff): Minified KoliBri form controller code; benign component logic. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-BkpeqvtE-DrZYr5-a.js | AI (source-diff): Standard Vite minified output for a UI component library; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-pR4i25DA.js | AI (source-diff): Standard Vite minified bundle output; readable ES module code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CHECPbf5.js | AI (source-diff): Standard Vite minified bundle output; readable ES module code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-ldG0UX14-CdoDFpZN.js | AI (source-diff): Standard Vite minified bundle output; readable ES module code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-DUBFy2CD-BXAxuig4.js | AI (source-diff): Standard Vite minified bundle output; readable ES module code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/color-BOIEtqEM-BPvSvjEG.js | AI (source-diff): Standard Vite minified bundle output; readable ES module code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-B9GDDaFL-DuJfpldx.js | AI (source-diff): Standard Vite minified bundle output; readable ES module code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-BkpeqvtE-ms12ZXVF.js | AI (source-diff): Standard Vite minified bundle output; readable ES module code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-BZSp_RI6-BL-9sWhP.js | AI (source-diff): Standard Vite minified ESM chunk; form-associated controller logic for KoliBri components. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-AQNQlNaN-CPxVbPCs.js | AI (source-diff): Standard Vite minified ESM chunk; floating-element positioning logic, not malware. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-combobox.entry-BsiZJPTH.js | AI (source-diff): Standard Vite minified ESM chunk; KoliBri combobox component. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-Cp6gRFIU.js | AI (source-diff): Standard Vite minified ESM chunk; KoliBri button web component. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D3P_Gb4a.js | AI (source-diff): Standard Vite minified main bundle; KoliBri component registry. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-DM8vsz3R-Do_RgmRh.js | AI (source-diff): Standard Vite minified ESM chunk; form field state wrapper logic. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-CyFFGMOa-C2lnFluJ.js | AI (source-diff): Standard Vite minified ESM chunk; icon controller UI logic. | ai | |
| source-diff | obfuscated-file:dist/assets/color-DZ0Ata5E-Ce_NTyBJ.js | AI (source-diff): Standard Vite minified ESM chunk; color utility logic. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-BBuJGmeu.js | AI (source-diff): Standard Vite minified output; sample shows KoliBri button web component logic. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DIuqfJDU.js | AI (source-diff): Standard Vite bundle entry; sample shows asset map for KoliBri web components. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-COm9oJpc-CBh3JX6w.js | AI (source-diff): Standard Vite minified output; sample shows form field state wrapper logic. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-BSuMVX-J-BZUxynbI.js | AI (source-diff): Standard Vite minified output; sample shows icon/input container UI logic. | ai | |
| source-diff | obfuscated-file:dist/assets/color-D-_1x7ql-BWJ_bSXe.js | AI (source-diff): Standard Vite minified output; sample shows color utility logic. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-ByKVIoVY-i71ic5Hn.js | AI (source-diff): Standard Vite minified output; sample shows form-associated controller logic. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-BmMJhjF1-DzbXDa86.js | AI (source-diff): Standard Vite minified output for a UI component library; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-Bagx9pCw-DVq2iy0N.js | AI (source-diff): Standard Vite minified bundle; content is KoliBri form-associated controller code. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-D5XJiLiU-DnELTVZW.js | AI (source-diff): Standard Vite minified bundle output; content is legitimate floating-ui positioning code. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-DRleF1wN.js | AI (source-diff): Standard Vite/Stencil minified bundle; content is KoliBri button web component code. | ai | |
| source-diff | obfuscated-file:dist/assets/index-aD_aLqYR.js | AI (source-diff): Standard Vite entry bundle with __vite__mapDeps; content is legitimate component registry code. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-BFjE8Awx-FgbPEIn_.js | AI (source-diff): Standard Vite minified bundle; content is KoliBri form field wrapper code. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-tRwi0agJ-BydgLvKX.js | AI (source-diff): Standard Vite minified bundle; content is KoliBri icon/input container code. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-Bdve6A-Q-Cfl1-el0.js | AI (source-diff): Standard Vite minified bundle; content is KoliBri tooltip controller code. | ai | |
| source-diff | obfuscated-file:dist/assets/component-BNiJg__a-BZjmWwS-.js | AI (source-diff): Standard Vite minified bundle; content is legitimate UI component code. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-7a0eec66-TGvjlLEi.js | AI (source-diff): Standard Vite-minified bundle output for a UI component library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-b3473c2a-sZH0481m.js | AI (source-diff): Standard Vite-minified bundle output; readable form-controller logic. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-combobox.entry-D96RA-dY.js | AI (source-diff): Vite-minified web component entry; readable combobox component logic. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-BsCujRcI.js | AI (source-diff): Vite-minified web component entry; readable button component logic. | ai | |
| source-diff | net-exec-file:dist/assets/index-DtvMxyWR.js | AI (source-diff): Dynamic import() for lazy-loaded UI components is standard Vite/React pattern, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DtvMxyWR.js | AI (source-diff): Vite entry bundle with asset manifest; expected for this React sample app. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-fe4af011-DxW7szEL.js | AI (source-diff): Standard Vite-minified bundle output for UI controller logic. | ai | |
| source-diff | obfuscated-file:dist/assets/color-b607f500-Dflqvpoy.js | AI (source-diff): Standard Vite-minified bundle; color name table is clearly benign. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-dDuHhzJa-2UFDj4Vr.js | AI (source-diff): Standard Vite-minified bundle; form field state wrapper UI logic. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-6A9FkBi8-xyinCPK6.js | AI (source-diff): Standard Vite-minified bundle output for a React UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-DZY0qF8S-BrEiypO0.js | AI (source-diff): Standard Vite-minified bundle output; readable form-association controller logic. | ai | |
| source-diff | obfuscated-file:dist/assets/color-Rjy4ux-w-C917hka1.js | AI (source-diff): Standard Vite-minified bundle; color utility logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-BQiMXXEq-Dl2q5WxY.js | AI (source-diff): Standard Vite-minified bundle; icon controller UI logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DCi8lcS0.js | AI (source-diff): Standard Vite entry bundle listing known KoliBri component assets. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-CJKe3MWR.js | AI (source-diff): Standard Vite-minified bundle; button web component logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-4923570a-BYqOuumY.js | AI (source-diff): Standard Vite-minified bundle output for a React UI component library; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-combobox.entry-DtSHXjbr.js | AI (source-diff): Standard Vite-minified Stencil web component entry; sample shows combobox component logic. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-psbtaP20.js | AI (source-diff): Standard Vite-minified Stencil web component entry; sample shows button render logic. | ai | |
| source-diff | net-exec-file:dist/assets/index-DjOmLO5k.js | AI (source-diff): Vite dynamic import() for lazy-loaded web components; not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DjOmLO5k.js | AI (source-diff): Vite entry bundle with __vite__mapDeps; standard build artifact for this React component library. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-fe4af011-BaBo6QOP.js | AI (source-diff): Standard Vite-minified bundle; sample shows UI input controller logic, clearly benign. | ai | |
| source-diff | obfuscated-file:dist/assets/color-b607f500-B0Afkmgd.js | AI (source-diff): Standard Vite-minified bundle; sample shows CSS color name table, clearly benign. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-b3473c2a-BiQsU2lX.js | AI (source-diff): Standard Vite-minified bundle output; legitimate form-association controller code visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-9b9ebf60-DQeBc_ui.js | AI (source-diff): Standard Vite-minified bundle output for floating-ui library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-combobox.entry-DSugRrO-.js | AI (source-diff): Minified combobox web component; standard KoliBri UI library build output. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-DvuYJ5-U.js | AI (source-diff): Minified web component entry; standard KoliBri UI library build output. | ai | |
| source-diff | net-exec-file:dist/assets/index-BOdC6zis.js | AI (source-diff): Dynamic imports in Vite bundle are code-splitting, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BOdC6zis.js | AI (source-diff): Main Vite bundle entry point with dynamic imports; standard SPA build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-a9871d80-CaR71qcR.js | AI (source-diff): Vite-minified input controller; legitimate UI component library code. | ai | |
| source-diff | obfuscated-file:dist/assets/color-48d7fdf1-D_f0HQ7r.js | AI (source-diff): Minified color-name lookup table; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-d302adf7-BSXIYAVs.js | AI (source-diff): Vite-minified form-associated controller code; legitimate UI library output. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-BdLX2KKE.js | AI (source-diff): Standard Vite minified bundle; button web component logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Ci4NJshR.js | AI (source-diff): Standard Vite main bundle entry; asset manifest and component exports, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-D0MLneaJ-boRsnfLO.js | AI (source-diff): Standard Vite minified bundle; form field state wrapper logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-DFSE5HSL-B87ATEvF.js | AI (source-diff): Standard Vite minified bundle; icon controller component logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/color-D-_1x7ql-DyschnB7.js | AI (source-diff): Standard Vite minified bundle; color utility logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-ByKVIoVY-Cf0FNIRj.js | AI (source-diff): Standard Vite minified bundle output; readable form-association controller logic. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-BmMJhjF1-B0KXJ0oJ.js | AI (source-diff): Standard Vite minified bundle output; readable ES module logic, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-d302adf7-CGwixhAA.js | AI (source-diff): Stencil/KoliBri component controller bundle; normal minified output. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-combobox.entry-Cf1a5tj7.js | AI (source-diff): Stencil combobox component bundle; normal minified output. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-BQmoQIQy.js | AI (source-diff): Stencil web component entry bundle; normal minified output. | ai | |
| source-diff | net-exec-file:dist/assets/index-h_HyegoH.js | AI (source-diff): Dynamic import() for lazy-loaded Stencil chunks is not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-h_HyegoH.js | AI (source-diff): Main Vite entry bundle with __vite__mapDeps; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-6852ec73-DS-EZhFp.js | AI (source-diff): KoliBri input controller bundle; normal Vite minified output. | ai | |
| source-diff | obfuscated-file:dist/assets/color-48d7fdf1-DTzqDcJB.js | AI (source-diff): Color utility bundle with CSS named-color table; normal minified output. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-a7a489c8-teg8TynS.js | AI (source-diff): Standard Vite-minified floating-UI bundle; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-Cf3CGZT--xMZZPtNM.js | AI (source-diff): Standard Vite minified output for tooltip controller; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-combobox.entry-BW7zxQ-Z.js | AI (source-diff): Standard Vite/Stencil minified entry for combobox component; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-xiQhkydo.js | AI (source-diff): Standard Vite/Stencil minified entry for button web component; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Di6F0tPl.js | AI (source-diff): Standard Vite entry bundle with __vite__mapDeps; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-I4Dg2nCz-Rq-sf8NF.js | AI (source-diff): Standard Vite minified output for form field wrapper; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-CQfGuSEz-B2I9_SgL.js | AI (source-diff): Standard Vite minified output for icon controller; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/component-FodZSQiD-0URc9_UY.js | AI (source-diff): Standard Vite minified output for UI component bundle; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-BKQIR17--Eo_cl8rX.js | AI (source-diff): Standard Vite minified output for form-associated controller; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-58sFZOrL-D-p03Rue.js | AI (source-diff): Standard Vite minified output for floating-UI library; not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/color-BOIEtqEM-BCXZ7FmP.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/associated.controller-B9GDDaFL-CHe4vr0O.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/align-floating-elements-BkpeqvtE-AdfHjN91.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count is expected for a full Vite dist rebuild of a React UI component library. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-combobox.entry-DW1AOIiD.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/kol-button-wc.entry-C6WqNwbG.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DbZw8XzB.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/FormFieldStateWrapper-BJBSoSm4-D3MU3y0v.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/controller-icon-BO9NOQnm-B_SOaoQ5.js | AI (source-diff): Standard Vite minified bundle output for a UI component library; not obfuscated. | ai | |
| phantom-deps | phantom-dep:@playwright/test | AI (phantom-deps): @playwright/test is a test runner referenced in config, not imported directly; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:@leanup/stack | AI (phantom-deps): @leanup/stack is a build tooling package used via CLI/config, not direct import; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:npm-run-all2 | AI (phantom-deps): npm-run-all2 is a CLI tool used in npm scripts, not imported directly; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:stylelint | AI (phantom-deps): stylelint is a dev linting tool referenced in config files; phantom-dep is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:prettier | AI (phantom-deps): prettier is a dev formatter referenced in config files; phantom-dep is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:cpy-cli | AI (phantom-deps): cpy-cli is a CLI tool invoked via npm scripts, not imported directly; phantom-dep is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:knip | AI (phantom-deps): knip is a dev tooling dependency referenced in config files; not directly imported is expected behavior for this type of tool. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): eslint is a dev tooling dependency referenced in config files; phantom-dep firing on eslint is a stable false positive for any JS/TS project. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Sample/demo packages in design systems often have README link dumps pointing to docs. This is a known pattern for @public-ui ecosystem packages, not spam. | ai | |
| phantom-deps | phantom-dep:prettier-plugin-organize-imports | AI (phantom-deps): prettier plugins are loaded via prettier config, not direct imports; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): TypeScript ESLint plugin is loaded via eslint config, not direct import; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): TypeScript ESLint parser is loaded via eslint config, not direct import; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-a11y | AI (phantom-deps): eslint plugins are loaded via eslint config, not direct imports; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react | AI (phantom-deps): eslint plugins are loaded via eslint config, not direct imports; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-json | AI (phantom-deps): eslint plugins are loaded via eslint config, not direct imports; phantom-dep is a stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-html | AI (phantom-deps): eslint plugins are loaded via eslint config, not direct imports; phantom-dep is a stable false positive. | ai | |
| dependencies | unvetted-dep:world_countries_lists | AI (dependencies): world_countries_lists is a standard country data package; appropriate for a UI sample app demonstrating form components. | ai | |
| dependencies | unvetted-dep:@vitejs/plugin-react-swc | AI (dependencies): Official Vite React plugin using SWC compiler; standard build tooling for React projects. | ai | |
| dependencies | unvetted-dep:adopted-style-sheets | AI (dependencies): adopted-style-sheets is a legitimate Constructable Stylesheets polyfill; stable dependency for this UI component library sample app. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a framework-scoped type package; not directly imported is expected for TypeScript projects. | ai | |
| dependencies | unvetted-dep:@public-ui/components | AI (dependencies): Sibling package from the same public-ui/kolibri monorepo; always a legitimate dependency for this package. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): @types/react-dom is a framework-scoped type package; not directly imported is expected for React/TypeScript projects. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; declaring it without direct import is a common pattern in TS projects. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): @types/react is a framework-scoped type package; not directly imported is expected for React/TypeScript projects. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): typescript is a build toolchain dependency; not directly imported in source is expected and benign. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 4.2.1 | 26 / 15 | |
| 4.2.0 | 26 / 15 | |
| 4.1.4 | 24 / 16 | |
| 4.1.3 | 24 / 16 | |
| 4.1.2 | 24 / 16 | |
| 4.1.1 | 24 / 14 | |
| 4.1.0 | 16 / 22 | |
| 4.0.3 | 15 / 23 | |
| 4.0.2 | 39 / 0 | |
| 4.0.1 | 39 / 0 | |
| 4.0.0 | 39 / 0 | |
| 3.1.4 | 24 / 15 | |
| 3.1.3 | 15 / 24 | |
| 3.1.2 | 15 / 24 | |
| 3.1.1 | 39 / 0 | |
| 3.1.0 | 39 / 0 | |
| 3.0.9 | 39 / 0 | |
| 3.0.8 | 39 / 0 | |
| 2.2.22 | 25 / 9 | |
| 2.2.21 | 25 / 9 | |
| 2.2.20 | 25 / 9 | |
| 2.2.19 | 29 / 0 | |
| 2.2.18 | 29 / 0 |
v4.2.1
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.2.0
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.1
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.3
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.2
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.1
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.4
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.1
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.0
17 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.9
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.22
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.21
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.20
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.18
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.