@tryghost/activitypub
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-C1JfgPpS.mjs | AI (source-diff): Standard Vite-minified React/Radix UI bundle; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/step-1-FuYnph4v.mjs | AI (source-diff): Vite-bundled UI chunk with base64 image data; legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/step-2-xemqhpVm.mjs | AI (source-diff): Vite-bundled UI chunk; standard minified imports and base64 image data. | ai | |
| source-diff | obfuscated-file:dist/step-3-CPcGl_DA.mjs | AI (source-diff): Vite-bundled UI chunk; standard minified imports and base64 image data. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Ghost ActivityPub app ships Vite build artifacts; large file count is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/index-Dd1VaS_M.mjs | AI (source-diff): Standard Vite-minified React bundle; React internals clearly visible in sample. | ai | |
| source-diff | obfuscated-file:dist/index-DJ7Yur5_.mjs | AI (source-diff): Standard Vite-bundled React/UI code; minification is expected for this frontend dist package. | ai | |
| source-diff | obfuscated-file:dist/step-3-CHTQ4llZ.mjs | AI (source-diff): Standard Vite-bundled React/UI code; minification is expected for this frontend dist package. | ai | |
| source-diff | obfuscated-file:dist/step-2-D7fe5tRX.mjs | AI (source-diff): Standard Vite-bundled React/UI code; minification is expected for this frontend dist package. | ai | |
| source-diff | obfuscated-file:dist/step-1-DsuHzs7J.mjs | AI (source-diff): Standard Vite-bundled React/UI code; minification is expected for this frontend dist package. | ai | |
| source-diff | obfuscated-file:dist/index-BAAnjpWf.mjs | AI (source-diff): Standard Vite-bundled React/UI code; minification is expected for this frontend dist package. | ai | |
| source-diff | obfuscated-file:dist/index-BdeJK9oy.mjs | AI (source-diff): Standard Vite-bundled React/UI output; samples show React internals and component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/step-3-bXaYKkhJ.mjs | AI (source-diff): Vite bundle chunk; sample shows standard icon/component imports, normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/step-2-Ba0p2OLW.mjs | AI (source-diff): Vite bundle chunk with base64 PNG assets; normal build artifact for this Ghost frontend package. | ai | |
| source-diff | obfuscated-file:dist/step-1-62fJ6bXC.mjs | AI (source-diff): Vite bundle chunk with base64 PNG assets; normal build artifact for this Ghost frontend package. | ai | |
| source-diff | obfuscated-file:dist/index-CLcV_zSc.mjs | AI (source-diff): Standard Vite-bundled UI component code (Radix UI Tooltip etc.); minified not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/step-3-BBI6k4Pz.mjs | AI (source-diff): Vite-bundled UI step component; minification is expected for this frontend package. | ai | |
| source-diff | obfuscated-file:dist/step-2-Cr20T_8Z.mjs | AI (source-diff): Vite-bundled UI step component; minification is expected for this frontend package. | ai | |
| source-diff | obfuscated-file:dist/step-1-SDEAyCzr.mjs | AI (source-diff): Vite-bundled UI step component; minification is expected for this frontend package. | ai | |
| source-diff | obfuscated-file:dist/index-CbeWHLjc.mjs | AI (source-diff): Vite-bundled UI component output; minification is expected for this frontend package. | ai | |
| source-diff | obfuscated-file:dist/index-BUxTXK58.mjs | AI (source-diff): Vite-bundled React/UI output; minification is expected for this frontend package. | ai | |
| source-diff | obfuscated-file:dist/step-3-CRM7Q4-H.mjs | AI (source-diff): Vite-bundled UI component; standard minified build output. | ai | |
| source-diff | obfuscated-file:dist/index-785Myd8I.mjs | AI (source-diff): Vite-bundled React/UI output; minified but clearly legitimate frontend code. | ai | |
| source-diff | obfuscated-file:dist/index-DnyTd1-k.mjs | AI (source-diff): Vite-bundled UI component code; standard minified build output. | ai | |
| source-diff | obfuscated-file:dist/step-1-CC5nP8_b.mjs | AI (source-diff): Vite-bundled UI component with embedded PNG assets; standard build output. | ai | |
| source-diff | obfuscated-file:dist/step-2-kQIJuJBD.mjs | AI (source-diff): Vite-bundled UI component; standard minified build output. | ai | |
| dependencies | unvetted-dep:@tryghost/admin-x-framework | AI (dependencies): Internal Ghost org workspace package; same publisher and repo as this package. | ai | |
| dependencies | unvetted-dep:@tryghost/shade | AI (dependencies): Internal Ghost org workspace package; same publisher and repo as this package. | ai | |
| dependencies | unvetted-dep:html2canvas-objectfit-fix | AI (dependencies): Known canvas library fork; low risk for a UI rendering dependency. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-form | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:@hookform/resolvers | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:react-hook-form | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:@tryghost/shade | AI (phantom-deps): Internal Ghost monorepo workspace package; phantom-dep is a false positive for workspace deps. | ai | |
| phantom-deps | phantom-dep:use-debounce | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:sonner | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:clsx | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:@tryghost/admin-x-framework | AI (phantom-deps): Internal Ghost monorepo workspace package; phantom-dep is a false positive for workspace deps. | ai | |
| phantom-deps | phantom-dep:html2canvas-objectfit-fix | AI (phantom-deps): Bundled Vite app; deps consumed at build time, not directly imported in analyzed source. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 3.1.29 | 15 / 14 | |
| 3.1.26 | 15 / 14 | |
| 3.1.25 | 15 / 14 | |
| 3.1.23 | 15 / 14 | |
| 3.1.21 | 15 / 13 | |
| 3.1.19 | 15 / 13 | |
| 3.1.16 | 15 / 9 | |
| 3.1.14 | 15 / 11 | |
| 3.1.13 | 15 / 11 | |
| 3.1.11 | 9 / 10 |
v3.1.29
7 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.26
7 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.25
7 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.23
7 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.21
7 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.19
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.16
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.