@vechain/vechain-kit
All-in-one React library for building VeChain applications with wallet integration, social logins, developer hooks, and pre-built UI components.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/assets-CZs6EVH8.cjs | AI (source-diff): Standard minified build output from tsdown bundler; content is UI components and SVG assets. | ai | |
| source-diff | obfuscated-file:dist/index-DqmXn4Mz.d.mts | AI (source-diff): TypeScript declaration file with long lines due to bundled type exports; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/utils-DPIscp9_.mjs | AI (source-diff): Standard minified ESM build output; content shows readable contract addresses and utility functions. | ai | |
| source-diff | obfuscated-file:dist/assets-C0RHiZ9a.mjs | AI (source-diff): Standard minified ESM build output; content is SVG assets and UI components. | ai | |
| source-diff | obfuscated-file:dist/index-lFyi52Xi.d.cts | AI (source-diff): TypeScript declaration file with long lines due to bundled type exports; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/utils-C4gc1L9t.cjs | AI (source-diff): Standard minified build output; content shows readable contract addresses and utility functions. | ai | |
| source-diff | obfuscated-file:dist/index-CirBvNlg.d.mts | AI (source-diff): TypeScript declaration file with long lines due to bundled type exports; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index-CR1vQAAH.d.cts | AI (source-diff): TypeScript declaration file with long lines due to bundled type exports; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index-CakR5Xyt.d.cts | AI (source-diff): TypeScript declaration file with long import lines; not obfuscated, just bundled type defs. | ai | |
| source-diff | obfuscated-file:dist/index-BJC0UjWs.d.mts | AI (source-diff): TypeScript declaration file with long import lines; not obfuscated, just bundled type defs. | ai | |
| source-diff | obfuscated-file:dist/utils-DJKLAzLP.cjs | AI (source-diff): Standard bundler minification output; content is readable JS with plaintext contract addresses, not obfuscated malware. | ai | |
| phantom-deps | phantom-dep:i18next-browser-languagedetector | AI (phantom-deps): Declared as runtime dep, used via i18next plugin config; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-BvKpDLIo.d.mts | AI (source-diff): TypeScript declaration file with long lines; not executable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index-C4fIl4KD.d.cts | AI (source-diff): TypeScript declaration file with long lines; not executable code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/utils-KYzX9d5n.mjs | AI (source-diff): Standard bundler minification output; ESM equivalent of the CJS bundle, same pattern. | ai | |
| source-diff | obfuscated-file:dist/utils-D0w5dcVX.cjs | AI (source-diff): Standard minified CJS bundle from tsdown build; content is readable blockchain config, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/index-B93L_AT2.d.mts | AI (source-diff): TypeScript declaration file with long single-line type exports; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/index-QQ-9cIOs.d.cts | AI (source-diff): TypeScript declaration file with long single-line type exports; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/utils-B1rpHKZq.mjs | AI (source-diff): Standard minified ESM bundle from tsdown build; same pattern as CJS counterpart. | ai | |
| phantom-deps | phantom-dep:net | AI (phantom-deps): Node 'net' polyfill declared as dep for browser bundling; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@vechain/vechain-contract-types | AI (phantom-deps): First-party @vechain dep declared in dependencies; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): Node 'process' polyfill declared for browser bundling; stable false positive. | ai | |
| phantom-deps | phantom-dep:wagmi | AI (phantom-deps): wagmi is a declared runtime dep used transitively; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:ethers | AI (phantom-deps): ethers declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:framer-motion | AI (phantom-deps): framer-motion is an optional peer dep and declared dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:i18next | AI (phantom-deps): i18next declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:react-i18next | AI (phantom-deps): react-i18next declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@wagmi/core | AI (phantom-deps): @wagmi/core declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): bignumber.js declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): dotenv declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:vaul | AI (phantom-deps): vaul declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@emotion/styled | AI (phantom-deps): @emotion/styled declared as runtime and peer dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@solana/web3.js | AI (phantom-deps): @solana/web3.js declared as runtime dep (privy cross-chain support); phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@vechain/picasso | AI (phantom-deps): First-party @vechain dep declared in dependencies; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:react-qrcode-logo | AI (phantom-deps): react-qrcode-logo declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:react-device-detect | AI (phantom-deps): react-device-detect declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@adraffy/ens-normalize | AI (phantom-deps): @adraffy/ens-normalize declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@privy-io/cross-app-connect | AI (phantom-deps): @privy-io/cross-app-connect declared as runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query-devtools | AI (phantom-deps): @tanstack/react-query-devtools declared as runtime dep; phantom-dep heuristic false positive. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 2.10.0 | 31 / 9 | |
| 2.9.0 | 31 / 9 | |
| 2.8.2 | 31 / 9 | |
| 2.8.1 | 31 / 9 | |
| 2.8.0 | 31 / 9 | |
| 2.7.0 | 31 / 9 |
v2.10.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.