@scrabble-solver/scrabble-solver
Scrabble Solver 2 - App
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:.next/static/chunks/framework-2b24ada1da3702a7.js | AI (source-diff): Standard Next.js React framework bundle; content is recognizable React internals. | ai | |
| source-diff | obfuscated-file:.next/static/chunks/pages/index-a49a899fdf7146da.js | AI (source-diff): Standard Next.js minified page chunk; content confirms legitimate scrabble-solver UI code. | ai | |
| source-diff | obfuscated-file:.next/static/chunks/main-5c253b06141d70b0.js | AI (source-diff): Standard Next.js main chunk; content is recognizable Next.js router/head internals. | ai | |
| source-diff | obfuscated-file:.next/static/chunks/pages/_app-b74c31c912e414e4.js | AI (source-diff): Standard Next.js minified build artifact; content is legitimate React/CSS-module code. | ai | |
| source-diff | obfuscated-file:.next/static/chunks/pages/index-35f70f1627836521.js | AI (source-diff): Standard Next.js minified build artifact; content is legitimate React/CSS-module code. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires inside Next.js bundled .next/server output; standard webpack/Next.js artifact. | ai | |
| phantom-deps | phantom-dep:normalize.css | AI (phantom-deps): CSS reset referenced in stylesheets/config, not JS imports — expected usage pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Fires inside Next.js bundled .next/server output; standard Next.js SSR artifact. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires inside webpack-api-runtime.js; standard webpack module loader pattern. | ai | |
| phantom-deps | phantom-dep:env-cmd | AI (phantom-deps): Used in npm scripts (build/dev/start), not imported in code — expected usage pattern. | ai | |
| phantom-deps | phantom-dep:include-media | AI (phantom-deps): SCSS utility referenced in stylesheets, not JS imports — expected usage pattern. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 2.16.4 | 32 / 9 | |
| 2.16.3 | 32 / 9 | |
| 2.16.1 | 32 / 9 | |
| 2.16.0 | 32 / 9 |
v2.16.4
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.