@vitessce/all — Greenflagged

This package exports a `<Vitessce/>` component with all available plugins and file types registered.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

keller-mark

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/ReactNeuroglancer-R9DY-SSe.js	AI (source-diff): ReactNeuroglancer bundle for neuroglancer visualization; network/dynamic code is inherent to the neuroglancer library.	ai	2026/05/26
source-diff	obfuscated-file:dist/higlass-BsC0wgvT.js	AI (source-diff): Standard Vite bundle output for HiGlass; long lines are minified but readable JS, not malicious obfuscation.	ai	2026/05/26
source-diff	net-exec-file:dist/higlass-BsC0wgvT.js	AI (source-diff): Network calls and dynamic code in HiGlass bundle are part of the visualization library's normal operation.	ai	2026/05/26
source-diff	obfuscated-file:dist/index-DpX5nUsD.js	AI (source-diff): Standard Vite bundle; readable Three.js/WebGL visualization code.	ai	2026/05/26
source-diff	obfuscated-file:dist/index-DyvHlPKD.js	AI (source-diff): Main Vite bundle for vitessce; long import lines are minified but clearly legitimate vitessce API exports.	ai	2026/05/26
source-diff	net-exec-file:dist/index-DyvHlPKD.js	AI (source-diff): Network/dynamic code in main bundle is expected for a data visualization library fetching remote datasets.	ai	2026/05/26
source-diff	obfuscated-file:dist/lerc-BKoJuTs1.js	AI (source-diff): LERC decoder (Esri Apache-licensed) bundled as expected; long lines are minified codec code.	ai	2026/05/26
typosquat	typosquat.levenshtein:ajv	AI (typosquat): @vitessce/all is a well-known bioinformatics visualization package; Levenshtein match to 'ajv' is a false positive.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/error	AI (phantom-deps): Monorepo aggregator re-exports sibling packages; phantom-dep false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/styles	AI (phantom-deps): Monorepo aggregator re-exports sibling packages; phantom-dep false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/abstract	AI (phantom-deps): Monorepo aggregator re-exports sibling packages; phantom-dep false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/spatial-three	AI (phantom-deps): Monorepo aggregator re-exports sibling packages; phantom-dep false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/spatial-accelerated	AI (phantom-deps): Monorepo aggregator re-exports sibling packages; phantom-dep false positive for this package.	ai	2026/05/02
bogus-package	bogus-package	AI (bogus-package): Aggregator/umbrella package in a monorepo; minimal README and no keywords are expected for internal sub-packages.	ai	2026/05/02

Versions (showing 3 of 3)

Version	Deps	Published
3.9.9	33 / 3	2026-05-20
3.9.8	33 / 3	2026-04-29
3.9.7	33 / 3	2026-04-10

v3.9.9

8 findings

HIGH New obfuscated file: dist/higlass-BsC0wgvT.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/higlass-BsC0wgvT.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/index-DpX5nUsD.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-DyvHlPKD.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index-DyvHlPKD.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/lerc-BKoJuTs1.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/ReactNeuroglancer-R9DY-SSe.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.