← Home

@react-email/ui

npm Repository

A live preview of your emails right in your browser.

9
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

zenorochabukinoshitagabrielmfernjopcmelorehan

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:.next/server/chunks/ssr/[root-of-the-server]__0kj8k7~._.js AI (source-diff): Next.js Turbopack SSR build output; expected for this package. ai
bogus-package bogus-package AI (bogus-package): Well-known package from resend org; low score is noise. ai
semgrep semgrep:etc-passwd-access AI (semgrep): Test file asserting path-traversal is blocked; not credential harvesting. ai
source-diff net-exec-file:.next/static/chunks/07xz95h5_vkz5.js AI (source-diff): Socket.io client + Next.js runtime bundled together; not malicious. ai
source-diff obfuscated-file:.next/static/chunks/07xz95h5_vkz5.js AI (source-diff): Next.js Turbopack client chunk; standard build artifact. ai
source-diff obfuscated-file:.next/static/chunks/05gb77d41e6_j.js AI (source-diff): Next.js Turbopack client chunk; standard build artifact. ai
source-diff obfuscated-file:.next/server/chunks/ssr/[root-of-the-server]__0o1z5so._.js AI (source-diff): Standard Next.js SSR chunk containing Babel parser; expected minification for this package. ai
source-diff obfuscated-file:.next/server/chunks/ssr/[root-of-the-server]__08ttim4._.js AI (source-diff): Standard Next.js/Turbopack SSR build artifact; minification is expected for this package. ai
source-diff obfuscated-file:.next/server/chunks/ssr/[root-of-the-server]__0ijmwvt._.js AI (source-diff): Standard Next.js/Turbopack SSR build artifact containing prettier/deepmerge; expected minification. ai
source-diff net-exec-file:.next/server/chunks/ssr/[root-of-the-server]__0o1z5so._.js AI (source-diff): Babel parser + file-system traversal in SSR chunk; no exfiltration or dropper pattern, legitimate Next.js build output. ai
source-diff obfuscated-file:.next/static/chunks/07109i_ivtgcv.js AI (source-diff): Turbopack static chunk (clsx + tailwind-merge); standard minified build output. ai
source-diff obfuscated-file:.next/static/chunks/0uh-49~tky78v.js AI (source-diff): Turbopack static chunk (socket.io-client + Next.js server actions); expected minification. ai
source-diff net-exec-file:.next/static/chunks/0uh-49~tky78v.js AI (source-diff): Socket.io-client WebSocket code in a static chunk; no dropper pattern, legitimate Next.js build output. ai
source-diff obfuscated-file:.next/static/chunks/0wdedq5_rk8gw.js AI (source-diff): Turbopack static chunk (Next.js utils); standard minified build output. ai
source-diff obfuscated-file:.next/static/chunks/0z8xesoucltu7.js AI (source-diff): Standard Next.js static chunk; expected minification for this package. ai
source-diff obfuscated-file:.next/static/chunks/15xwcf8r22gq-.js AI (source-diff): Standard Next.js static chunk; expected minification for this package. ai
npm-metadata bundled-binaries AI (npm-metadata): esbuild binary is a declared runtime dependency; expected for this Next.js-based UI package. ai
typosquat typosquat.levenshtein:yup AI (typosquat): Scoped @react-email package; Levenshtein match to yup is a false positive. ai
semgrep semgrep:dynamic-require AI (semgrep): Fires in Turbopack runtime chunk-loading code; expected Next.js internals. ai
semgrep semgrep:child-process-import AI (semgrep): Fires in bundled Next.js HMR/dev-server chunk; expected for a Next.js app bundle. ai
semgrep semgrep:env-bulk-read AI (semgrep): Fires in bundled Next.js HMR chunk reading env for config; standard framework behavior. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped @react-email package; Levenshtein match to joi is a false positive. ai
typosquat typosquat.levenshtein:qs AI (typosquat): Scoped @react-email package; Levenshtein match to qs is a false positive. ai
typosquat typosquat.levenshtein:uuid AI (typosquat): Scoped @react-email package; Levenshtein match to uuid is a false positive. ai
typosquat typosquat.levenshtein:pg AI (typosquat): Scoped @react-email package; Levenshtein match to pg is a false positive. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Fires inside bundled Next.js server chunks; standard framework code, not malicious. ai
semgrep semgrep:base64-decode AI (semgrep): Fires inside bundled Next.js server chunks; standard framework code. ai

Versions (showing 9 of 9)

Version Deps Published
6.3.3 2 / 51
6.3.0 2 / 51
6.1.5 2 / 51
6.0.5 2 / 51
6.0.4 2 / 51
6.0.3 2 / 51
6.0.2 2 / 51
6.0.1 2 / 51
6.0.0 2 / 51

v6.3.3

9 findings
HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0kj8k7~._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/05gb77d41e6_j.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/07xz95h5_vkz5.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: .next/static/chunks/07xz95h5_vkz5.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH etc-passwd-access: src/actions/render-email-by-path.spec.ts:54 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 52 | 53 | it('refuses to render a path outside the configured emails directory', async () => { > 54 | const result = await renderEmailByPath('/etc/passwd', true); 55 | 56 | expect('error' in result).toBe(true);

HIGH etc-passwd-access: src/utils/is-path-within-emails-directory.spec.ts:51 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 49 | it('rejects absolute paths outside the emails directory', () => { 50 | expect(isPathWithinEmailsDirectory(outsideFile)).toBe(false); > 51 | expect(isPathWithinEmailsDirectory('/etc/passwd')).toBe(false); 52 | }); 53 |

HIGH etc-passwd-access: src/utils/is-path-within-emails-directory.spec.ts:56 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 54 | it('rejects traversal attempts via ../', () => { 55 | expect(isPathWithinEmailsDirectory('../secret.txt')).toBe(false); > 56 | expect(isPathWithinEmailsDirectory('../../etc/passwd')).toBe(false); 57 | expect( 58 | isPathWithinEmailsDirectory(path.join(emailsRoot, '..', 'secret.txt')),

HIGH etc-passwd-access: src/utils/is-path-within-emails-directory.ts:18 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 16 | * Server actions accept arbitrary strings from the client, so any path that 17 | * eventually reaches the filesystem must be checked against this boundary to > 18 | * prevent traversal (`../../etc/passwd`) and absolute-path escapes. 19 | */ 20 | export const isPathWithinEmailsDirectory = (emailPath: string): boolean => {

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.0

11 findings
HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__08ttim4._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0ijmwvt._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0o1z5so._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: .next/server/chunks/ssr/[root-of-the-server]__0o1z5so._.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: .next/static/chunks/07109i_ivtgcv.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0uh-49~tky78v.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: .next/static/chunks/0uh-49~tky78v.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: .next/static/chunks/0wdedq5_rk8gw.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0z8xesoucltu7.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/15xwcf8r22gq-.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.5

33 findings
HIGH New obfuscated file: .next/server/chunks/ssr/_0_9qcls._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/_0fi74yy._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/_0l~yq~8._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/_0rgn2s1._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0e1p92_._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0l0v85_._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0mp3fdl._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/[root-of-the-server]__0ovwch3._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0p0q9fz._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0w7~g3v._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/[root-of-the-server]__0z7e~t8._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0.b7c654y13ei.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/01jmh6iy1079z.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: .next/static/chunks/01jmh6iy1079z.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: .next/static/chunks/038txnyx7z-e-.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0694m--20r8r~.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/091aur8ny3ktw.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0hw4m324babxl.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0im2lr8petu1y.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0s3d7ou5io7.r.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0uuzj-.-socmi.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/0xq9sfc.8k4--.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_0-r-kub._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_02m-902._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_04bpslp._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_0u6ij0z._.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_esm_build_templates_app-page_0e~f51l.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_esm_build_templates_app-page_0efib10.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_esm_build_templates_app-page_0jqv_2y.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/server/chunks/ssr/0z~i_next_dist_esm_build_templates_app-page_0spm7_x.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/1513ibnpmlx36.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: .next/static/chunks/turbopack-0hngrd36y01c6.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.