@vitessce/launcher — Greenflagged

This subpackage provides a React component for launching Vitessce. It allows users to load local files via drag-and-drop or file selection, as well as load remote data and configurations from URL.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

keller-mark

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/ReactNeuroglancer-Cb2ywexW.js	AI (source-diff): ReactNeuroglancer bundle for neuroimaging visualization; network + dynamic code is expected.	ai	2026/05/26
source-diff	obfuscated-file:dist/higlass-BXmDHp1M.js	AI (source-diff): Vite-bundled HiGlass visualization library; minified output is expected for this package.	ai	2026/05/26
source-diff	net-exec-file:dist/higlass-BXmDHp1M.js	AI (source-diff): Network calls and dynamic code in HiGlass bundle are part of the visualization library's normal operation.	ai	2026/05/26
source-diff	obfuscated-file:dist/index-BGzgHqzw.js	AI (source-diff): Vite-bundled output for vitessce visualization components; minification is expected.	ai	2026/05/26
source-diff	obfuscated-file:dist/index-C7kW8YKc.js	AI (source-diff): Main Vite bundle for vitessce; long lines are standard minified output, not obfuscation.	ai	2026/05/26
source-diff	net-exec-file:dist/index-C7kW8YKc.js	AI (source-diff): Network + dynamic code in main vitessce bundle is expected for a data visualization framework.	ai	2026/05/26
source-diff	obfuscated-file:dist/lerc-DlsnNE1I.js	AI (source-diff): LERC (Esri raster decoder) bundled output; minification is expected.	ai	2026/05/26
dependencies	unvetted-dep:@vitessce/example-configs	AI (dependencies): Same-org sibling package in the vitessce monorepo; expected internal dependency.	ai	2026/05/13
dependencies	unvetted-dep:@vitessce/example-plugins	AI (dependencies): Same-org sibling package in the vitessce monorepo; expected internal dependency.	ai	2026/05/13
phantom-deps	phantom-dep:@vitessce/example-configs	AI (phantom-deps): Same-org monorepo sibling; stable false positive.	ai	2026/05/02
phantom-deps	phantom-dep:react-dropzone	AI (phantom-deps): Listed as runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/constants-internal	AI (phantom-deps): Same-org monorepo sibling; stable false positive.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/example-plugins	AI (phantom-deps): Same-org monorepo sibling; stable false positive.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/globals	AI (phantom-deps): Same-org monorepo sibling; stable false positive.	ai	2026/05/02

Versions (showing 3 of 3)

Version	Deps	Published
3.9.9	12 / 3	2026-05-20
3.9.8	12 / 3	2026-04-29
3.9.7	12 / 3	2026-04-10

v3.9.9

8 findings

HIGH New obfuscated file: dist/higlass-BXmDHp1M.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/higlass-BXmDHp1M.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/index-BGzgHqzw.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-C7kW8YKc.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/index-C7kW8YKc.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/lerc-DlsnNE1I.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/ReactNeuroglancer-Cb2ywexW.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.