@sme.up/ketchup2
Sme.UP web components library
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): 183 new files reflect addition of mermaid/cytoscape diagram dependencies; consistent with changelog scope. | ai | |
| source-diff | obfuscated-file:dist/diagram-2AECGRRQ-C6vI3yau.cjs | AI (source-diff): Minified mermaid diagram bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/diagram-KO2AKTUF-CjA_KTJj.cjs | AI (source-diff): Minified mermaid diagram bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/diagram-LMA3HP47-DBwSTp2j.cjs | AI (source-diff): Minified mermaid diagram bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/diagram-OG6HWLK6-BdLnbUYy.cjs | AI (source-diff): Minified mermaid diagram bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/dist-DC1YYeHc.cjs | AI (source-diff): Minified d3 dist bundle; standard Vite output. | ai | |
| source-diff | encoded-string-file:dist/ketchup2.es.js | AI (source-diff): Long encoded strings in UI component library bundles are typically base64 SVG/font data; consistent with this package type. | ai | |
| source-diff | obfuscated-file:dist/arc-MUYNnJxV.cjs | AI (source-diff): Minified d3-arc library bundle; standard Vite build output. | ai | |
| source-diff | obfuscated-file:dist/architectureDiagram-3BPJPVTR-BrmPrClJ.cjs | AI (source-diff): Minified mermaid architecture diagram + cytoscape bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/blockDiagram-GPEHLZMM-CuzoKhJT.cjs | AI (source-diff): Minified mermaid block diagram bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/c4Diagram-AAUBKEIU-DU8uXbgK.cjs | AI (source-diff): Minified mermaid C4 diagram bundle; standard Vite output. | ai | |
| source-diff | net-exec-file:dist/chunk-NNHCCRGN-aKMHXBzL.cjs | AI (source-diff): LSP/vscode-languageserver-types bundle; no actual network calls or code execution, false positive. | ai | |
| source-diff | obfuscated-file:dist/cose-bilkent-S5V4N54A-CE-7Sw0Y.cjs | AI (source-diff): Minified cytoscape cose-bilkent layout bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/cytoscape.esm-BzblyxzZ.cjs | AI (source-diff): Minified cytoscape.js bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/dagre-BM42HDAG-BhbA1R8l.cjs | AI (source-diff): Minified dagre graph layout bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/dagre-CC68z3y6.cjs | AI (source-diff): Minified dagre bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/defaultLocale-Bj_Ndo9V.cjs | AI (source-diff): Minified locale bundle; standard Vite output. | ai | |
| phantom-deps | phantom-dep:d3-hierarchy | AI (phantom-deps): Declared dependency for hierarchical data visualization; stable pattern for this library. | ai | |
| phantom-deps | phantom-dep:echarts | AI (phantom-deps): Declared runtime dependency; referenced in config files for optional charting feature. | ai | |
| phantom-deps | phantom-dep:mermaid | AI (phantom-deps): Declared runtime dependency; referenced in config files for optional diagram feature. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Declared runtime dependency; referenced in config files for HTML sanitization. | ai | |
| phantom-deps | phantom-dep:react-svg | AI (phantom-deps): Declared runtime dependency; referenced in config files for SVG rendering. | ai | |
| phantom-deps | phantom-dep:pdfjs-dist | AI (phantom-deps): Declared runtime dependency; referenced in config files for PDF feature. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 2.4.0 | 6 / 41 | |
| 2.3.0 | 6 / 41 | |
| 2.2.0 | 6 / 41 | |
| 2.1.0 | 6 / 41 | |
| 2.0.0 | 6 / 41 | |
| 1.25.0 | 6 / 41 |
v2.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
17 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.