@tokenflight/swap
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/bridge-BaH05V0t.js | AI (source-diff): Standard Vite bundle output for widget bridge; readable minified code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-CG-ua9cn.js | AI (source-diff): Chinese (Traditional) i18n locale strings; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-Qnc6ozkb.js | AI (source-diff): Chinese (Simplified) i18n locale strings; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/widget-DKrK3hCc.js | AI (source-diff): Widget bundle; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/usePageRouter-C9px48pG.js | AI (source-diff): Page router hook bundle; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/SwapComponent-r6gFMQDK.js | AI (source-diff): SolidJS swap component bundle; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/shared.module-BORGC5lt.js | AI (source-diff): Shared module bundle; standard Vite output. | ai | |
| source-diff | obfuscated-file:dist/register-widget-BNCrsb0V.js | AI (source-diff): Widget registration/shadow DOM setup; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/ReceiveComponent-CG4ZOm4X.js | AI (source-diff): SolidJS component bundle; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/rank-offers-C1sqecwN.js | AI (source-diff): Token ranking/offer logic bundle; readable minified code. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-ixklPQrK.js | AI (source-diff): Korean i18n locale strings; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-dq1hxi1o.js | AI (source-diff): Japanese i18n locale strings; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/en-US-CA6Sa-oZ.js | AI (source-diff): i18n locale strings file; clearly readable UI text, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/dist-7BXv_hiJ.js | AI (source-diff): Babel helpers and HTTP client (ky) bundle; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-B6-oEn8b.js | AI (source-diff): Vite-minified i18n locale bundle; plaintext Korean UI strings, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-B79frXui.js | AI (source-diff): Vite-minified i18n locale bundle; plaintext Japanese UI strings, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-BAk5N41c.js | AI (source-diff): Vite-minified i18n locale bundle; plaintext Traditional Chinese UI strings, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-kLHZNYDI.js | AI (source-diff): Vite-minified i18n locale bundle; plaintext Simplified Chinese UI strings, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/register-widget-CUiL6g1_.js | AI (source-diff): SolidJS reactive runtime bundled by Vite; standard framework code, no malicious patterns. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Legitimate scoped package with proper repo/metadata; 0.0.0 reflects initial release convention, not malicious intent. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-83cqVPy-.js | AI (source-diff): Vite-compiled i18n locale bundle; minified string literals only, no malicious code. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-D6aZF7b5.js | AI (source-diff): Vite-compiled i18n locale bundle; minified string literals only, no malicious code. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-BaBVFzvs.js | AI (source-diff): Vite-compiled i18n locale bundle; minified string literals only, no malicious code. | ai | |
| source-diff | obfuscated-file:dist/register-widget-CaJUDuje.js | AI (source-diff): Minified SolidJS widget bundle consistent with package purpose; no exfiltration or shell patterns. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-CjqzLa9V.js | AI (source-diff): Vite-compiled i18n locale bundle; minified string literals only, no malicious code. | ai | |
| source-diff | obfuscated-file:dist/en-US-d5YmzdLN.js | AI (source-diff): Vite-compiled i18n locale bundle; minified string literals only, no malicious code. | ai | |
| source-diff | obfuscated-file:dist/iframe-receiver-i4RfQGg2.js | AI (source-diff): Iframe bridge receiver; readable postMessage handler logic in sample. | ai | |
| source-diff | obfuscated-file:dist/bridge-BufC2_tK.js | AI (source-diff): Standard Vite bundle output; readable iframe bridge logic visible in sample. | ai | |
| source-diff | obfuscated-file:dist/browser-BONUFvML.js | AI (source-diff): QR code library bundled output; readable QR encoding logic in sample. | ai | |
| source-diff | obfuscated-file:dist/defaults-loader-CUYh_qLj.js | AI (source-diff): Valibot schema validation bundle; readable validation logic in sample. | ai | |
| source-diff | obfuscated-file:dist/dist-CsBuWseE.js | AI (source-diff): Standard Vite bundle with ky HTTP client; readable error class logic in sample. | ai | |
| source-diff | obfuscated-file:dist/en-US-BsEBXsff.js | AI (source-diff): English i18n strings bundle; fully readable UI string constants. | ai | |
| source-diff | obfuscated-file:dist/iframe.js | AI (source-diff): Iframe widget entry point; readable web component attribute parsing in sample. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-DckpHLDh.js | AI (source-diff): Japanese i18n strings bundle; fully readable UI string constants. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-jzHfArkK.js | AI (source-diff): Korean i18n strings bundle; consistent with i18n pattern. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-Cm_ni5eM.js | AI (source-diff): Simplified Chinese i18n strings bundle; consistent with i18n pattern. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-BnoGGI9_.js | AI (source-diff): Traditional Chinese i18n strings bundle; consistent with i18n pattern. | ai | |
| phantom-deps | phantom-dep:qrcode | AI (phantom-deps): qrcode is bundled into dist output; not directly imported at source level but legitimately used. | ai | |
| source-diff | obfuscated-file:dist/dist-AEh2EHtG.js | AI (source-diff): Standard Vite/Rollup bundle output for a UI widget package; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-BtbfBVJf.js | AI (source-diff): Plaintext i18n locale file (Traditional Chinese strings); minified but readable and benign. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-BOrEaVNo.js | AI (source-diff): Plaintext i18n locale file (Simplified Chinese strings); minified but readable and benign. | ai | |
| source-diff | obfuscated-file:dist/widget-FccUKqSD.js | AI (source-diff): Vite chunk for the widget component; minified import/export pattern consistent with build tooling. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-BuQ9BHw_.js | AI (source-diff): Plaintext i18n locale file (Korean strings); minified but readable and benign. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-Ie6oD1OM.js | AI (source-diff): Plaintext i18n locale file (Japanese strings); minified but readable and benign. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-C_ZBjfPb.js | AI (source-diff): Minified i18n locale bundle; plaintext UI strings, no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/en-US-qDDiLksN.js | AI (source-diff): Minified i18n locale bundle; plaintext UI strings, no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-CtmyKF1W.js | AI (source-diff): Minified i18n locale bundle; plaintext UI strings, no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-DpZbMBLR.js | AI (source-diff): Minified i18n locale bundle; plaintext UI strings, no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/register-widget-BjfDwWgS.js | AI (source-diff): Vite-bundled SolidJS widget; standard reactive runtime code, no obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is a low signal; package content is clean. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-BHIB7ZQf.js | AI (source-diff): Minified i18n locale bundle; plaintext UI strings, no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-BIXVqnQ_.js | AI (source-diff): Minified i18n locale bundle; expected output from Vite build for this widget package. | ai | |
| source-diff | obfuscated-file:dist/en-US-DJW-hZLc.js | AI (source-diff): Minified i18n locale bundle; expected output from Vite build for this widget package. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-Ddf7Ck1N.js | AI (source-diff): Minified i18n locale bundle; expected output from Vite build for this widget package. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-RuuHh9p5.js | AI (source-diff): Minified i18n locale bundle; expected output from Vite build for this widget package. | ai | |
| source-diff | obfuscated-file:dist/register-widget-CXGm8Ih3.js | AI (source-diff): Minified SolidJS widget bundle; standard Vite output for this package. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-BU7auPz-.js | AI (source-diff): Minified i18n locale bundle; expected output from Vite build for this widget package. | ai | |
| source-diff | obfuscated-file:dist/en-US-BdYNpx0K.js | AI (source-diff): Minified i18n locale bundle; content is plain UI strings, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/register-widget-vJhNZS3M.js | AI (source-diff): Standard Vite-bundled widget JS; content is recognizable library code (ky HTTP client, etc.), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/ko-KR-n0fjdfjr.js | AI (source-diff): Minified i18n locale bundle; content is plain UI strings, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/ja-JP-D0jMcX_A.js | AI (source-diff): Minified i18n locale bundle; content is plain UI strings, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/zh-TW-hpKr3X5A.js | AI (source-diff): Minified i18n locale bundle; content is plain UI strings, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/zh-CN-HIEpOVGH.js | AI (source-diff): Minified i18n locale bundle; content is plain UI strings, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/register-swap-a_E08H4c.js | AI (source-diff): Standard Vite/SolidJS bundle; samples show UI component templates and DOM helpers. | ai | |
| source-diff | obfuscated-file:dist/dist-D4PEwqKq.js | AI (source-diff): Standard Vite bundle output; samples show Babel helpers and HTTP client code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/widget-9I201q7O.js | AI (source-diff): Standard Vite/SolidJS bundle; samples show currency maps and icon definitions. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 0.3.1 | 2 / 17 | |
| 0.3.0 | 2 / 17 | |
| 0.2.3 | 1 / 16 | |
| 0.2.2 | 1 / 16 | |
| 0.2.1 | 1 / 16 | |
| 0.2.0 | 1 / 16 | |
| 0.1.4 | 1 / 16 | |
| 0.1.3 | 1 / 17 | |
| 0.1.2 | 1 / 16 | |
| 0.1.1 | 1 / 16 | |
| 0.0.4 | 0 / 14 | |
| 0.0.3 | 0 / 14 | |
| 0.0.2 | 0 / 14 | |
| 0.0.1 | 0 / 14 | |
| 0.0.0 | 0 / 14 |
v0.3.1
15 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.