@superblocksteam/vite-plugin-file-sync
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/ai-service/prompt-builder-service/static-fragments/platform-parts/superblocks-theming-chakra-new.js | AI (source-diff): Long lines are embedded markdown documentation strings (AI prompts), not obfuscated code. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/ai-service/agent/apis-system-prompt.d.ts | AI (source-diff): Long lines are embedded AI system prompt strings in a .d.ts declaration file, not obfuscated executable code. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (tar, tokenlens, @babel/types, etc.) are all reputable packages matching the new AI service feature. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are within the same Superblocks org; consistent with team growth. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 260 new files correspond to the new ai-service module; consistent with feature expansion, not injection. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/references/rest-apis.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/references/graphql.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-frontend/references/embedding.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/references/code-blocks.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/third-party-migration/claude-design.generated.d.ts | AI (source-diff): Long lines are markdown documentation embedded as a string literal in a generated .d.ts file, not obfuscated code. | ai | |
| phantom-deps | phantom-dep:lucide-static | AI (phantom-deps): Config-referenced; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped, loaded by convention in build tooling. | ai | |
| phantom-deps | phantom-dep:lru-cache | AI (phantom-deps): Config-referenced dep in a build tool; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/turndown | AI (phantom-deps): Type-only dep; not directly imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:eventsource-parser | AI (phantom-deps): Config-referenced; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@superblocksteam/linter | AI (phantom-deps): Same-org sibling dep; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/api-logs | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@anthropic-ai/tokenizer | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:path-to-regexp | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@lezer/common | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tokenlens | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:winston | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ignore | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:acorn | AI (phantom-deps): Monorepo build tool; phantom-dep heuristic fires on config-referenced deps, stable false positive. | ai |
Versions (showing 51 of 94)
| Version | Deps | Published |
|---|---|---|
| 2.0.124 | 49 / 43 | |
| 2.0.123 | 46 / 40 | |
| 2.0.122 | 46 / 40 | |
| 2.0.121 | 46 / 40 | |
| 2.0.120 | 46 / 40 | |
| 2.0.119 | 46 / 39 | |
| 2.0.118 | 46 / 39 | |
| 2.0.117 | 46 / 39 | |
| 2.0.114 | 45 / 39 | |
| 2.0.113 | 45 / 39 | |
| 2.0.112 | 45 / 39 | |
| 2.0.111 | 45 / 39 | |
| 2.0.110 | 45 / 39 | |
| 2.0.109 | 45 / 39 | |
| 2.0.108 | 45 / 39 | |
| 2.0.107 | 45 / 39 | |
| 2.0.106 | 45 / 39 | |
| 2.0.105 | 45 / 39 | |
| 2.0.104 | 45 / 39 | |
| 2.0.103 | 45 / 38 | |
| 2.0.102 | 44 / 38 | |
| 2.0.101 | 44 / 38 | |
| 2.0.89 | 40 / 35 | |
| 2.0.88 | 40 / 35 | |
| 2.0.87 | 40 / 35 | |
| 2.0.86 | 40 / 29 | |
| 2.0.85 | 40 / 29 | |
| 2.0.80 | 49 / 35 | |
| 2.0.79 | 49 / 35 | |
| 2.0.78 | 49 / 35 | |
| 2.0.77 | 46 / 33 | |
| 2.0.76 | 46 / 32 | |
| 2.0.75 | 46 / 32 | |
| 2.0.74 | 46 / 32 | |
| 2.0.73 | 46 / 32 | |
| 2.0.72 | 46 / 32 | |
| 2.0.71 | 46 / 32 | |
| 2.0.70 | 46 / 32 | |
| 2.0.69 | 46 / 32 | |
| 2.0.68 | 46 / 32 | |
| 2.0.67 | 46 / 31 | |
| 2.0.66 | 46 / 31 | |
| 2.0.65 | 46 / 31 | |
| 2.0.64 | 46 / 31 | |
| 2.0.63 | 46 / 31 | |
| 2.0.62 | 46 / 31 | |
| 2.0.61 | 46 / 31 | |
| 2.0.60 | 46 / 31 | |
| 2.0.59 | 46 / 31 | |
| 2.0.58 | 46 / 31 | |
| 2.0.57 | 46 / 31 |
v2.0.124
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.123
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.122
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.121
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.120
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.119
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.118
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.117
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.114
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.113
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.112
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.111
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.110
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.109
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.107
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.103
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.102
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.89
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.88
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.87
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.86
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.85
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.80
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.79
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.78
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.77
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.76
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.75
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.74
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.73
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.67
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.65
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.59
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.58
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.