@vitessce/comparative
This folder contains a sub-package which: - re-exports all of the entries from `vitessce` (i.e., the exports of the subpackage located in `packages/main/prod`) - plus, exports controlled and un-controlled variants of a component that wraps `<Vitessce/>` f
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/higlass-DA6D2z7x.js | AI (source-diff): Network calls and dynamic code in HiGlass bundle are part of normal visualization library functionality, not malware. | ai | |
| source-diff | obfuscated-file:dist/higlass-DA6D2z7x.js | AI (source-diff): Standard Vite bundle of HiGlass visualization library; minified output is expected for this package. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-DVTouLdy.js | AI (source-diff): ReactNeuroglancer bundle; network/dynamic patterns are part of the Neuroglancer 3D viewer functionality. | ai | |
| source-diff | obfuscated-file:dist/lerc-C__sKrTH.js | AI (source-diff): LERC (Esri raster codec) bundled as minified output; expected for geospatial visualization library. | ai | |
| source-diff | net-exec-file:dist/index-D10X079V.js | AI (source-diff): Network/dynamic patterns in main bundle are part of vitessce's data-fetching visualization functionality. | ai | |
| source-diff | obfuscated-file:dist/index-D10X079V.js | AI (source-diff): Main Vite bundle for vitessce; minified output is expected and consistent with prior releases. | ai | |
| source-diff | obfuscated-file:dist/index-CtfYbkUc.js | AI (source-diff): Standard Vite bundle output for vitessce component; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/lerc-RGuForS6.js | AI (source-diff): Bundled LERC codec (Esri); minification expected. | ai | |
| source-diff | obfuscated-file:dist/lz4-D5NbssRf.js | AI (source-diff): Bundled LZ4 codec; minification expected. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-BtggQLeE.js | AI (source-diff): ReactNeuroglancer is a known 3D neuroscience viewer; network+rendering is expected. | ai | |
| source-diff | obfuscated-file:dist/zstd-DoGJTjDa.js | AI (source-diff): Bundled zstd codec; minification expected. | ai | |
| provenance | publisher-changed | AI (provenance): Monorepo migrated to GitHub Actions CI publishing; SLSA attestation confirms legitimate CI origin. | ai | |
| source-diff | obfuscated-file:dist/index-ByPsZX9d.js | AI (source-diff): Vite-bundled spatial viewer code; minification expected. | ai | |
| source-diff | obfuscated-file:dist/blosc-DKW2fp0s.js | AI (source-diff): Vite-bundled WASM codec; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/higlass-DaUGvOUd.js | AI (source-diff): Bundled higlass visualization library; minification expected. | ai | |
| source-diff | net-exec-file:dist/higlass-DaUGvOUd.js | AI (source-diff): higlass bundle legitimately uses fetch + dynamic rendering; not malware. | ai | |
| source-diff | obfuscated-file:dist/index-BlHlPnNM.js | AI (source-diff): Main Vite bundle; minification is standard build output. | ai | |
| source-diff | net-exec-file:dist/index-BlHlPnNM.js | AI (source-diff): Main bundle uses fetch for data loading; standard for a viz toolkit. | ai | |
| source-diff | obfuscated-file:dist-tsc/ComparativeConfig.js | AI (source-diff): TypeScript-compiled output with long lines; not obfuscated malware. | ai | |
| phantom-deps | phantom-dep:@vitessce/zarr | AI (phantom-deps): Same-org monorepo sibling; may be re-exported rather than directly imported. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package; sparse README and no keywords are expected for internal scoped packages. | ai | |
| phantom-deps | phantom-dep:react-window | AI (phantom-deps): Likely used transitively or via re-export in this monorepo package. | ai | |
| phantom-deps | phantom-dep:internmap | AI (phantom-deps): Likely used transitively or via re-export in this monorepo package. | ai | |
| phantom-deps | phantom-dep:@vitessce/constants-internal | AI (phantom-deps): Same-org monorepo sibling; re-export pattern is expected. | ai | |
| phantom-deps | phantom-dep:@vitessce/abstract | AI (phantom-deps): Same-org monorepo sibling; re-export pattern is expected. | ai | |
| phantom-deps | phantom-dep:@vitessce/error | AI (phantom-deps): Same-org monorepo sibling; re-export pattern is expected. | ai |
v3.9.9
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.7
13 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.