@tarojs/components
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/taro-components/p-7101805b.entry.js | AI (source-diff): Stencil.js build output; minified component bundles are expected for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Thin index.js is intentional; real entry points are browser/module fields pointing to Stencil dist. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-6b70dd10.js | AI (source-diff): Standard Stencil.js runtime core bundle; recognizable vdom/hydration code. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-54909632.entry.js | AI (source-diff): Standard Stencil.js minified build output for picker component. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-50b4501e.entry.js | AI (source-diff): Standard Stencil.js minified build output for video component. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-15e4a4dd.entry.js | AI (source-diff): Standard Stencil.js minified build output for slider component. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-8c1388af.entry.js | AI (source-diff): Standard Stencil.js minified build output for tabbar component. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-74bce5e4.entry.js | AI (source-diff): Standard Stencil.js minified build output for picker-view component. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-0d00de46.entry.js | AI (source-diff): Standard Stencil.js minified build output; naming convention and content confirm legitimate UI components. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-77790443.entry.js | AI (source-diff): Standard Stencil.js minified build output for scroll-view component. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-15c2bd13.js | AI (source-diff): Stencil.js build output; minified chunks with hashed names are normal for this package. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-fa9a3a11.js | AI (source-diff): Stencil.js build output; minified chunks with hashed names are normal for this package. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-3b0507ef.entry.js | AI (source-diff): Stencil.js minified input component chunk; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-07864e09.entry.js | AI (source-diff): Stencil.js minified web component chunk; content is standard UI component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-0adabf61.entry.js | AI (source-diff): Stencil.js minified swiper component chunk; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-0ea53611.entry.js | AI (source-diff): Stencil.js minified picker/date component chunk; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-262d3cc6.entry.js | AI (source-diff): Stencil.js minified checkbox component chunk; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/esm/checkbox-da6b07ea.js | AI (source-diff): Standard Stencil.js minified build output for UI components; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/cjs/checkbox-ffc9c1a2.js | AI (source-diff): Standard Stencil.js minified build output for UI components; not obfuscated malware. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a declared runtime dependency used implicitly by TypeScript compilation; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/cjs/button-8f729d81.js | AI (source-diff): Standard Stencil.js minified build output for UI components; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/esm/button-cd801674.js | AI (source-diff): Standard Stencil.js minified build output for UI components; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-0f95be56.entry.js | AI (source-diff): Stencil entry chunk (switch component); minified by design. | ai | |
| source-diff | obfuscated-file:dist/esm-es5/loader.js | AI (source-diff): Stencil lazy-loader bundle; minified by design. | ai | |
| source-diff | obfuscated-file:lib/vue2/components.js | AI (source-diff): Standard Stencil.js/Vue2 build output for Taro components; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/esm-es5/index-ab3c86da.js | AI (source-diff): Stencil compiled ESM-ES5 bundle; minified by design. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-2b70c348.system.js | AI (source-diff): Stencil SystemJS bundle; minified by design. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-1acf7537.entry.js | AI (source-diff): Stencil entry chunk (movable-area component); minified by design. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-19b04eb7.entry.js | AI (source-diff): Stencil entry chunk (pull-to-refresh component); minified by design. | ai | |
| source-diff | obfuscated-file:dist/taro-components/p-0fe4660a.entry.js | AI (source-diff): Stencil entry chunk (textarea component); minified by design. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 4.2.0 | 10 / 24 | |
| 4.1.11 | 10 / 24 | |
| 4.1.10 | 10 / 24 | |
| 4.1.9 | 10 / 24 | |
| 4.1.8 | 10 / 24 | |
| 4.1.7 | 10 / 24 | |
| 4.1.6 | 10 / 24 | |
| 4.1.5 | 10 / 24 | |
| 4.1.4 | 10 / 24 | |
| 4.1.3 | 11 / 24 | |
| 4.1.2 | 11 / 24 | |
| 4.1.1 | 11 / 24 | |
| 4.1.0 | 11 / 24 | |
| 4.0.13 | 11 / 24 | |
| 3.6.40 | 9 / 24 | |
| 3.6.39 | 9 / 24 |
v4.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.11
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.7
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.6
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.5
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.4
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.3
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.40
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.39
9 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.