← Home

@s-blog/core

npm Repository Homepage

The core engine and pre-built App Shell for **s-blog**, a lightweight, fast, and elegant static blog framework.

23
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

suzic

Keywords

blogreactvites-blog

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/shell/assets/Archives-BigI0mU1.js AI (source-diff): Standard Vite minified output; readable React component logic, no malicious patterns. ai
source-diff obfuscated-file:dist/PostDetail-fobD7IlP.js AI (source-diff): Minified React post detail component with readable structure; no suspicious patterns. ai
source-diff obfuscated-file:dist/shell/assets/PostDetail-DjbYYHBl.js AI (source-diff): Minified React post detail component; standard markdown rendering logic. ai
source-diff obfuscated-file:dist/shell/assets/PhotoViewer-B7XmuQ0l.js AI (source-diff): Minified React photo viewer component; benign UI logic only. ai
source-diff obfuscated-file:dist/shell/assets/main-HLA0iPk1.js AI (source-diff): Vite bundle entry point with React/router internals; no exfiltration or obfuscation. ai
source-diff obfuscated-file:dist/shell/assets/AlbumDetail-B8-KFoeZ.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in sample. ai
source-diff obfuscated-file:dist/shell/assets/PostDetail-CCE3GZWT.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in sample. ai
source-diff obfuscated-file:dist/PostDetail-D4vzwUpi.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in sample. ai
source-diff obfuscated-file:dist/shell/assets/main-DrNEUPY4.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in sample. ai
source-diff obfuscated-file:dist/shell/assets/Archives-Dg8op7hl.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in sample. ai
source-diff obfuscated-file:dist/PostDetail-rTP82f-6.js AI (source-diff): Standard Vite minified React bundle output; not malicious obfuscation. ai
source-diff obfuscated-file:dist/shell/assets/PostDetail-1dKytzGf.js AI (source-diff): Standard Vite minified React bundle output; not malicious obfuscation. ai
source-diff obfuscated-file:dist/shell/assets/main-_rpOOp_O.js AI (source-diff): Standard Vite minified React bundle output; not malicious obfuscation. ai
source-diff obfuscated-file:dist/shell/assets/Archives-D_ou-dOf.js AI (source-diff): Standard Vite minified React bundle output; not malicious obfuscation. ai
source-diff obfuscated-file:dist/shell/assets/AlbumDetail-vQPUyvz2.js AI (source-diff): Standard Vite minified React bundle output; not malicious obfuscation. ai
source-diff obfuscated-file:dist/shell/assets/Archives-FXaKvDJv.js AI (source-diff): Standard Vite minified bundle output; samples show normal React component code. ai
publish-pattern new-deps-added AI (publish-pattern): wasm-vips and heic-decode are legitimate HEIC image processing libs matching the AlbumDetail feature in the code. ai
source-diff large-new-source-files AI (source-diff): New files are Vite build artifacts for a shell/SPA feature; consistent with build:shell script addition. ai
source-diff obfuscated-file:dist/shell/assets/AlbumDetail-CjZTmi3v.js AI (source-diff): Standard Vite minified bundle output; samples show normal React component code. ai
source-diff obfuscated-file:dist/shell/assets/PostDetail-DTp3EXyu.js AI (source-diff): Standard Vite minified bundle output; samples show normal React/remark/rehype code. ai
source-diff obfuscated-file:dist/shell/assets/main-CVeMAX2g.js AI (source-diff): Standard Vite minified bundle output; samples show normal React/Vite bootstrap code. ai
source-diff obfuscated-file:dist/PostDetail-Ds-F2dy9.js AI (source-diff): Vite-bundled React component output; minified but not obfuscated. Stable for this package. ai
source-diff obfuscated-file:dist/shell/assets/main-D5KSOSeN.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in samples. ai
source-diff obfuscated-file:dist/shell/assets/AlbumDetail-Bom1xNo7.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in samples. ai
source-diff obfuscated-file:dist/shell/assets/Archives-Dsv8ZxpL.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in samples. ai
source-diff obfuscated-file:dist/shell/assets/PostDetail-DpCxxlRw.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in samples. ai
source-diff obfuscated-file:dist/PostDetail-MNT2gtVA.js AI (source-diff): Standard Vite minified React bundle; no malicious patterns in samples. ai
source-diff obfuscated-file:dist/PostDetail-LwTVVIn2.js AI (source-diff): Vite-bundled React output; sample shows readable JSX/ES module code, not malicious obfuscation. Stable pattern for this package. ai
source-diff obfuscated-file:dist/PostDetail-uandpeXa.js AI (source-diff): Vite-bundled React output; long lines are minified bundle, not obfuscation. Stable pattern for this package. ai
source-diff obfuscated-file:dist/PostDetail-BF9O9Ohm.js AI (source-diff): Standard Vite minified bundle output; readable React/JSX and markdown processing patterns. ai
source-diff obfuscated-file:dist/shell/assets/PostDetail-DiBMm6eC.js AI (source-diff): Standard Vite minified bundle output; readable React/JSX patterns, no malicious code. ai
source-diff obfuscated-file:dist/shell/assets/main-CFEbfhgZ.js AI (source-diff): Standard Vite minified bundle output; contains recognizable React runtime and router code. ai
source-diff obfuscated-file:dist/shell/assets/Archives-D1OXXrpO.js AI (source-diff): Standard Vite minified bundle output; readable React/JSX patterns, no malicious code. ai
source-diff obfuscated-file:dist/shell/assets/AlbumDetail-cR-yKYG7.js AI (source-diff): Standard Vite minified bundle output; readable React/JSX patterns, no malicious code. ai
source-diff obfuscated-file:dist/shell/assets/Archives-Du_kd51P.js AI (source-diff): Standard Vite minified React bundle; readable JSX patterns, no malicious payload. ai
source-diff obfuscated-file:dist/shell/assets/PostDetail-D7yw92kZ.js AI (source-diff): Standard Vite minified React bundle; readable JSX patterns, no malicious payload. ai
source-diff obfuscated-file:dist/PostDetail-Ci-GDDkh.js AI (source-diff): Standard Vite minified React bundle; readable JSX patterns, no malicious payload. ai
source-diff obfuscated-file:dist/shell/assets/main-DHWob_QN.js AI (source-diff): Standard Vite minified React bundle; readable JSX patterns, no malicious payload. ai
source-diff obfuscated-file:dist/shell/assets/AlbumDetail-BLHePTfA.js AI (source-diff): Standard Vite minified React bundle; readable JSX patterns, no malicious payload. ai
phantom-deps phantom-dep:date-fns AI (phantom-deps): Deps referenced via config/convention in a library package; not a real phantom-dep issue. ai
phantom-deps phantom-dep:i18next-browser-languagedetector AI (phantom-deps): i18n plugin loaded by convention; stable false positive for this package. ai
phantom-deps phantom-dep:@types/github-slugger AI (phantom-deps): Type package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:react-router-dom AI (phantom-deps): Router used via config/convention; stable false positive for this package. ai
phantom-deps phantom-dep:react-markdown AI (phantom-deps): Core rendering dep used via config; stable false positive for this package. ai
phantom-deps phantom-dep:github-slugger AI (phantom-deps): Used via config files; stable false positive for this package. ai
phantom-deps phantom-dep:react-i18next AI (phantom-deps): i18n library used via config; stable false positive for this package. ai
phantom-deps phantom-dep:rehype-slug AI (phantom-deps): Rehype plugin loaded by convention; stable false positive for this package. ai
phantom-deps phantom-dep:remark-gfm AI (phantom-deps): Markdown plugin loaded by convention; stable false positive for this package. ai
typosquat typosquat.levenshtein:cors AI (typosquat): @s-blog/core is a scoped blog framework, not a typosquat of cors; name similarity is coincidental. ai

Versions (showing 23 of 23)

Version Deps Published
0.3.8 15 / 14
0.3.7 15 / 14
0.3.6 15 / 14
0.3.5 15 / 14
0.3.4 15 / 14
0.3.3 15 / 14
0.3.2 15 / 14
0.3.1 15 / 14
0.3.0 15 / 14
0.2.4 15 / 13
0.2.2 15 / 13
0.1.13 15 / 9
0.1.12 15 / 9
0.1.11 15 / 9
0.1.10 14 / 9
0.1.8 14 / 9
0.1.7 14 / 9
0.1.6 14 / 9
0.1.4 14 / 9
0.1.3 14 / 9
0.1.2 14 / 9
0.1.1 14 / 9
0.1.0 11 / 9

v0.3.8

6 findings
HIGH New obfuscated file: dist/shell/assets/Archives-BigI0mU1.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-HLA0iPk1.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PhotoViewer-B7XmuQ0l.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-DjbYYHBl.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-fobD7IlP.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.7

6 findings
HIGH New obfuscated file: dist/shell/assets/Archives-BigI0mU1.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-HLA0iPk1.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PhotoViewer-B7XmuQ0l.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-DjbYYHBl.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-fobD7IlP.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.6

6 findings
HIGH New obfuscated file: dist/shell/assets/AlbumDetail-vQPUyvz2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/Archives-D_ou-dOf.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-_rpOOp_O.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-1dKytzGf.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-rTP82f-6.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.5

6 findings
HIGH New obfuscated file: dist/shell/assets/AlbumDetail-vQPUyvz2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/Archives-D_ou-dOf.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-_rpOOp_O.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-1dKytzGf.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-rTP82f-6.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.4

6 findings
HIGH New obfuscated file: dist/shell/assets/AlbumDetail-Bom1xNo7.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/Archives-Dsv8ZxpL.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-D5KSOSeN.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-DpCxxlRw.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-MNT2gtVA.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.3

6 findings
HIGH New obfuscated file: dist/shell/assets/AlbumDetail-cR-yKYG7.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/Archives-D1OXXrpO.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-CFEbfhgZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-BF9O9Ohm.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-DiBMm6eC.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.2

6 findings
HIGH New obfuscated file: dist/shell/assets/AlbumDetail-cR-yKYG7.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/Archives-D1OXXrpO.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-CFEbfhgZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-BF9O9Ohm.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-DiBMm6eC.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

6 findings
HIGH New obfuscated file: dist/shell/assets/AlbumDetail-BLHePTfA.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/Archives-Du_kd51P.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-DHWob_QN.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-Ci-GDDkh.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-D7yw92kZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

6 findings
HIGH New obfuscated file: dist/shell/assets/AlbumDetail-B8-KFoeZ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/Archives-Dg8op7hl.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/main-DrNEUPY4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/shell/assets/PostDetail-CCE3GZWT.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/PostDetail-D4vzwUpi.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.