@tarojs/plugin-platform-harmony-hybrid

Harmony 端平台插件

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

yuchexuanzebindefaultleedrchankyjoqq592743779advancedcatbaosiqingzakaryliuzejiavasily.cjjhardenzheng2

Keywords

taro

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Large established monorepo; provenance not yet adopted across the Taro ecosystem.	ai	2026/05/17
source-diff	obfuscated-file:dist/packages/taro-platform-harmony-hybrid/dist/definition.json.js	AI (source-diff): Long-line file is a generated API definition object, not obfuscated malicious code; stable pattern for this package.	ai	2026/05/17
source-diff	obfuscated-file:dist/taroApis.d.ts	AI (source-diff): TypeScript declaration file with long lines; generated artifact, not obfuscation.	ai	2026/05/17
phantom-deps	phantom-dep:query-string	AI (phantom-deps): Platform plugin injects deps at runtime; not directly imported by design.	ai	2026/05/15
phantom-deps	phantom-dep:whatwg-fetch	AI (phantom-deps): Platform plugin injects deps at runtime; not directly imported by design.	ai	2026/05/15
phantom-deps	phantom-dep:axios	AI (phantom-deps): Platform plugin injects deps at runtime; not directly imported by design.	ai	2026/05/15
phantom-deps	phantom-dep:@tarojs/plugin-platform-h5	AI (phantom-deps): Same-org Taro package; referenced via config/build tooling, not direct import.	ai	2026/05/15
phantom-deps	phantom-dep:@tarojs/helper	AI (phantom-deps): Same-org Taro package; referenced via config/build tooling, not direct import.	ai	2026/05/15
phantom-deps	phantom-dep:change-case	AI (phantom-deps): Platform plugin injects deps at runtime; not directly imported by design.	ai	2026/05/15
phantom-deps	phantom-dep:jsonp-retry	AI (phantom-deps): Platform plugin injects deps at runtime; not directly imported by design.	ai	2026/05/15

Versions (showing 14 of 14)

Version	Deps	Published
4.2.0	19 / 10	2026-04-13
4.1.11	19 / 10	2026-01-27
4.1.10	19 / 10	2026-01-16
4.1.9	19 / 10	2025-11-28
4.1.8	19 / 10	2025-11-06
4.1.5	19 / 10	2025-08-02
4.1.4	19 / 11	2025-07-11
4.1.3	19 / 10	2025-06-30
4.1.2	18 / 11	2025-06-05
4.1.1	18 / 11	2025-05-18
4.1.0	18 / 11	2025-05-16
4.0.13	18 / 11	2025-05-09
3.6.40	18 / 14	2026-04-13
3.6.39	18 / 14	2026-03-05

v4.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.6.40

3 findings

HIGH New obfuscated file: dist/packages/taro-platform-harmony-hybrid/dist/definition.json.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/taroApis.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.39

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.