@revisium/standalone — Greenflagged

Revisium with embedded PostgreSQL — zero-dependency headless CMS with Git-like version control

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

revisium-io

Keywords

revisiumheadless-cmsembedded-postgresstandalonejson-schemaversion-controlai-memoryagent-memory

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get in minified Chakra UI vendor bundle; standard React/Chakra pattern.	ai	2026/05/08
source-diff	obfuscated-file:client/assets/index-CTRDk3g_.js	AI (source-diff): Standard Vite/Rolldown minified frontend bundle (React+Chakra+MobX+GraphQL); not obfuscation.	ai	2026/05/08
source-diff	net-exec-file:client/assets/index-CTRDk3g_.js	AI (source-diff): Frontend SPA bundle; network calls and dynamic module loading are normal browser app behavior.	ai	2026/05/08
source-diff	encoded-string-file:prisma/seed.js	AI (source-diff): Long strings are Prisma client bundle error messages and internal code; stable false positive for this package.	ai	2026/05/08
source-diff	encoded-string-file:dist/standalone.js	AI (source-diff): Long strings are Prisma client bundle code; stable false positive for this package.	ai	2026/05/08
semgrep	semgrep:dynamic-require	AI (semgrep): Reads package.json from a resolved path to get version info; benign and stable pattern.	ai	2026/05/08
semgrep	semgrep:env-spread	AI (semgrep): CLI launcher spreading process.env to child process is standard; not a secret-exfiltration risk.	ai	2026/04/29
phantom-deps	phantom-dep:sharp	AI (phantom-deps): sharp is a known native binary dep; indirect import pattern is expected.	ai	2026/04/29
phantom-deps	phantom-dep:bcrypt	AI (phantom-deps): bcrypt referenced via config in NestJS app; indirect import is expected.	ai	2026/04/29
phantom-deps	phantom-dep:swagger-ui-dist	AI (phantom-deps): swagger-ui-dist referenced via config; indirect import is expected in NestJS.	ai	2026/04/29
phantom-deps	phantom-dep:embedded-postgres	AI (phantom-deps): embedded-postgres referenced via config; indirect import is expected.	ai	2026/04/29
phantom-deps	phantom-dep:@nestjs/microservices	AI (phantom-deps): NestJS microservices loaded dynamically via framework; indirect import is expected.	ai	2026/04/29

Versions (showing 3 of 3)

Version	Deps	Published
2.8.1	6 / 0	2026-05-04
2.8.0	6 / 0	2026-05-02
2.7.2	6 / 0	2026-03-17

v2.8.1

5 findings

HIGH New obfuscated file: client/assets/index-CTRDk3g_.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: client/assets/index-CTRDk3g_.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH Long encoded string in modified file: prisma/seed.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/standalone.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.