@teambit/node
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:artifacts/env-template/public/243.dac9adbf4f7ad2acb210.js | AI (source-diff): Standard webpack bundle for Bit env-template UI preview; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.8609c56a3038c8ebc4b7.js | AI (source-diff): Webpack bundle shipping MDX/React peer deps; minified but clearly legitimate. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/peers.8609c56a3038c8ebc4b7.js | AI (source-diff): Webpack chunk; net-exec pattern is normal for bundled UI artifacts. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.9174546e5244c954aeb0.js | AI (source-diff): Webpack bundle for overview preview; standard minified React code. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.ffef72a48c5a5cc311ac.js | AI (source-diff): Webpack bundle for compositions preview; regenerator-runtime and standard React code. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/874.3ef824f68e8be46dbe18.js | AI (source-diff): Webpack bundle for Bit preview modules; minified but not obfuscated malware. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/252.f6cbad17a9f4c2c3a1c9.js | AI (source-diff): Webpack chunk; net-exec pattern is normal for bundled UI artifacts. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/252.f6cbad17a9f4c2c3a1c9.js | AI (source-diff): Standard webpack bundle shipping floating-ui React library; not malicious. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/243.dac9adbf4f7ad2acb210.js | AI (source-diff): Webpack chunk with __webpack_require__; network+exec pattern is normal for bundled UI code. | ai | |
| dependencies | unvetted-dep:@bitdev/node.generators.node-starters | AI (dependencies): Internal bitdev scoped package; consistent with established Bit ecosystem publisher. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.path.path | AI (dependencies): First-party Teambit ecosystem dep; consistent with this package's component toolchain pattern. | ai | |
| dependencies | unvetted-dep:@bitdev/node.generators.node-templates | AI (dependencies): Bitdev/Teambit ecosystem dep; expected dependency for node environment/generator tooling. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.f38d8c0becc101e2acaa.js | AI (source-diff): Standard webpack-minified UI preview chunk for Bit component preview system. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.d8c63cae14c8e0c9477f.js | AI (source-diff): Standard webpack-minified peer bundle exposing React/MDX globals for Bit preview; benign pattern. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.41ee340a90bc2ac5075a.js | AI (source-diff): Standard webpack-minified UI preview chunk; contains regenerator-runtime and Bit preview module code. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.e95ef396af1977740144.js | AI (source-diff): Standard webpack bundle in Bit env-template preview artifacts; consistent with teambit build pipeline across all versions. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.87f56294904adf4fe9ad.js | AI (source-diff): Standard webpack bundle exposing React/MDX peers for Bit preview; consistent with teambit build pipeline. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.66b9227529c261d0a62a.js | AI (source-diff): Standard webpack bundle in Bit env-template preview artifacts; consistent with teambit build pipeline across all versions. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.8ee1fc46c15733b32f9c.js | AI (source-diff): Webpack-bundled env-template preview chunk; minification expected. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.88c645eebaf3a51be3f4.js | AI (source-diff): Webpack-bundled env-template preview chunk; minification expected. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.fe4b301b30825fe7ebd3.js | AI (source-diff): Webpack-bundled env-template preview chunk; minification expected. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.403bb39a4ad28f6ad7f6.js | AI (source-diff): Standard webpack-minified UI preview chunk from Bit platform; not obfuscation. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.8a4e03fc8ba8ef6890d6.js | AI (source-diff): Standard webpack-minified UI preview chunk from Bit platform; not obfuscation. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/32.4a5bfd3b1b4cefd65f08.js | AI (source-diff): Webpack chunk with __webpack_require__ dynamic loading; standard bundler pattern, not dropper. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/32.4a5bfd3b1b4cefd65f08.js | AI (source-diff): Standard webpack-minified UI preview chunk from Bit platform; not obfuscation. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.278cf9c7e3930c08fb1c.js | AI (source-diff): Standard webpack-minified UI preview chunk from Bit platform; not obfuscation. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/760.847613853bcbcc911626.js | AI (source-diff): Network refs and dynamic require are webpack runtime patterns in Bit preview bundles, not dropper behavior. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.bb185d544a29f45b74bb.js | AI (source-diff): Standard webpack-minified peers bundle for Bit preview; new Function is webpack runtime pattern. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.55589fe7b2efb028382c.js | AI (source-diff): Standard webpack-minified UI preview chunk for Bit component overview. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.78414b1d03731ec8ab70.js | AI (source-diff): Standard webpack-minified UI preview chunk for Bit component compositions. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/760.847613853bcbcc911626.js | AI (source-diff): Standard webpack-minified UI preview chunk; pattern is stable across all @teambit/node versions. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/271.8983b12775e9c1379e11.js | AI (source-diff): Webpack chunk with __webpack_require__ dynamic loading; not dropper malware. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/252.a4ec8971a39563ffeeaa.js | AI (source-diff): Standard webpack bundle artifact; minification is expected for UI preview chunks in this package. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/252.a4ec8971a39563ffeeaa.js | AI (source-diff): Webpack chunk with __webpack_require__ dynamic loading; not dropper malware. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/271.8983b12775e9c1379e11.js | AI (source-diff): Standard webpack bundle artifact; minification is expected for UI preview chunks in this package. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.ceaa34095d2f6321efcf.js | AI (source-diff): Standard webpack bundle artifact; minification is expected for UI preview chunks in this package. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.df61829d14e1257c0499.js | AI (source-diff): Standard webpack bundle artifact; minification is expected for UI preview chunks in this package. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.421ef9c615d8af6eb7f4.js | AI (source-diff): Standard webpack bundle artifact; minification is expected for UI preview chunks in this package. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/372.747516dd003c8cd1f1c0.js | AI (source-diff): Webpack-bundled UI preview artifact; minification is expected for this package's env-template build output. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/372.747516dd003c8cd1f1c0.js | AI (source-diff): Standard webpack chunk with __webpack_require__; network+exec pattern is from bundled UI preview, not malware. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/624.bc39f54c0b0fdd16b3a5.js | AI (source-diff): Webpack-bundled floating-ui/React UI artifact; minification expected in env-template build output. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/624.bc39f54c0b0fdd16b3a5.js | AI (source-diff): Standard webpack chunk; net+exec pattern is from bundled UI preview, not malware. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.03557bc770ae79381b47.js | AI (source-diff): Webpack-bundled Bit preview module artifact; minification expected. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.9afe0976ce35f6a6a6a4.js | AI (source-diff): Webpack-bundled Bit preview artifact; minification expected. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.3f9923d78ac19fbc8c0c.js | AI (source-diff): Webpack-bundled peers bundle for Bit env-template; minification expected. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.ff8699ad93908740082a.js | AI (source-diff): Standard webpack build artifact for Bit preview; content is recognizable React/regenerator code, not malicious. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.29b71fc864b102427c73.js | AI (source-diff): Standard webpack build artifact exposing peer deps (React, ReactDom) for Bit preview; not malicious. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.9efab5c153d48c47b643.js | AI (source-diff): Standard webpack build artifact for Bit preview; content is recognizable React/preview module code, not malicious. | ai | |
| source-diff | net-exec-file:artifacts/env-template/public/382.565b03c5d3748e06fc46.js | AI (source-diff): Network+exec pattern is webpack module loading in a browser preview bundle, not dropper malware. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/peers.612ea8565c133d85ac66.js | AI (source-diff): Standard webpack bundle for Bit env-template preview; minification is expected build output. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/overview.c6321ae4b79c6bb228ee.js | AI (source-diff): Standard webpack bundle for Bit env-template preview; minification is expected build output. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/compositions.902a1287b720668a5349.js | AI (source-diff): Standard webpack bundle for Bit env-template preview; minification is expected build output. | ai | |
| source-diff | obfuscated-file:artifacts/env-template/public/382.565b03c5d3748e06fc46.js | AI (source-diff): Standard webpack bundle for Bit env-template preview; minification is expected build output, not obfuscation. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-mdx | AI (phantom-deps): ESLint plugin referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): ESLint plugin referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react-hooks | AI (phantom-deps): ESLint plugin referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): ESLint config reference; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-a11y | AI (phantom-deps): ESLint plugin referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): ESLint plugin referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react | AI (phantom-deps): ESLint plugin referenced in config; not directly imported by design. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires inside a webpack bundle artifact; standard build tool pattern for this package. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): Known implicit runtime dependency pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint-mdx | AI (phantom-deps): Referenced in ESLint config files; not a direct import by design. | ai | |
| typosquat | typosquat.levenshtein:zod | AI (typosquat): Scoped @teambit/node package; Levenshtein match to 'zod' is a clear false positive. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jest | AI (phantom-deps): ESLint plugin referenced in config; not directly imported by design. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 1.0.995 | 39 / 7 | |
| 1.0.982 | 39 / 7 | |
| 1.0.975 | 39 / 7 | |
| 1.0.972 | 39 / 7 | |
| 1.0.971 | 39 / 7 | |
| 1.0.970 | 39 / 7 | |
| 1.0.969 | 39 / 7 | |
| 1.0.968 | 39 / 7 | |
| 1.0.967 | 39 / 7 | |
| 1.0.938 | 39 / 7 | |
| 1.0.925 | 39 / 7 | |
| 1.0.630 | 39 / 7 | |
| 1.0.628 | 39 / 7 | |
| 1.0.626 | 39 / 7 | |
| 1.0.625 | 39 / 7 | |
| 1.0.624 | 39 / 7 | |
| 1.0.623 | 39 / 7 | |
| 1.0.621 | 39 / 7 | |
| 1.0.617 | 39 / 7 |
v1.0.995
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.982
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.975
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.972
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.970
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.969
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.967
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.938
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.925
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.630
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.628
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.626
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.625
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.624
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.623
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.621
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.617
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.