@sisense/sdk-ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/widget-composer-CZ0_bPXK.cjs | AI (source-diff): Minified CJS chunk; consistent with SDK build output. | ai | |
| source-diff | net-exec-file:dist/use-hover-D_mBUhp9.cjs | AI (source-diff): Bundled fetch + async generator; no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/utils-DM5vp1gw.cjs | AI (source-diff): Minified CJS utils chunk from Vite build pipeline. | ai | |
| source-diff | net-exec-file:dist/utils-DM5vp1gw.cjs | AI (source-diff): Bundled fetch + async generator pattern; consistent with SDK utilities. | ai | |
| source-diff | obfuscated-file:dist/utils-Db3U6oHa.js | AI (source-diff): Minified ESM utils chunk from Vite build pipeline. | ai | |
| source-diff | net-exec-file:dist/utils-Db3U6oHa.js | AI (source-diff): Bundled fetch + async generator; no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/apply-styled-options-to-query-k10gkPCG.cjs | AI (source-diff): Standard Vite minified CJS build chunk; consistent with SDK build pipeline. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-BzMAmDnD.js | AI (source-diff): Network calls are Sisense API fetches; dynamic execution is async generator pattern from bundler output. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-k10gkPCG.cjs | AI (source-diff): Same as ESM counterpart; bundled fetch + async generator, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/dimensions-huCJK0y6.cjs | AI (source-diff): Minified CJS chunk from Vite build; content is Sisense dimensional model code. | ai | |
| source-diff | obfuscated-file:dist/use-hover-CkmV6eu9.js | AI (source-diff): Minified ESM chunk; content is React hook and chart component code. | ai | |
| source-diff | net-exec-file:dist/use-hover-CkmV6eu9.js | AI (source-diff): Bundled fetch + async generator pattern; no exfiltration or shell execution. | ai | |
| source-diff | obfuscated-file:dist/use-hover-D_mBUhp9.cjs | AI (source-diff): Minified CJS chunk; content is React/i18n/Sisense SDK code. | ai | |
| phantom-deps | phantom-dep:react-number-format | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:react-error-boundary | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:highcharts-react-official | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:highcharts-rounded-corners | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:@mui/icons-material | AI (phantom-deps): UI SDK pattern; MUI icons imported indirectly through component exports. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/utilities | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Large monorepo bundle; phantom-dep heuristic fires on bundled/re-exported deps, stable false positive. | ai | |
| phantom-deps | phantom-dep:fixed-data-table-2 | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:immer | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:deepmerge | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:classnames | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@mui/system | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:date-fns-tz | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:proj4leaflet | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ts-deepmerge | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:whatwg-fetch | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-i18next | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@emotion/cache | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:markdown-to-jsx | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/modifiers | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 2.27.0 | 47 / 54 | |
| 2.26.0 | 47 / 54 | |
| 2.25.0 | 47 / 54 | |
| 2.24.0 | 46 / 54 |
v2.27.0
14 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.