@vitessce/neuroglancer
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-C_tRTP7C.js | AI (source-diff): Minified Vite bundle output; readable React/vitessce code visible in sample. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-CNZmy8oz.js | AI (source-diff): Standard CJS-compat shim pattern in Vite bundle for Neuroglancer; no dropper indicators in sample. | ai | |
| source-diff | net-exec-file:dist/index-C_tRTP7C.js | AI (source-diff): Network calls and dynamic code are part of the Neuroglancer viewer bundle; no malicious payload in sample. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-DXStdU0p.js | AI (source-diff): Standard bundled React+neuroglancer component; Function('return this') is a commonjs polyfill pattern, not malware. | ai | |
| source-diff | net-exec-file:dist/index-O9LG3z3b.js | AI (source-diff): Network calls and dynamic code are part of the neuroglancer visualization library; no dropper behavior evident. | ai | |
| source-diff | obfuscated-file:dist/index-O9LG3z3b.js | AI (source-diff): Minified Vite bundle output; readable imports confirm no obfuscation. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/index-DsWF_aiv.js | AI (source-diff): Network calls and dynamic code are expected in a 3D neuroglancer visualization bundle; no malicious pattern. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-Yc6wLA5U.js | AI (source-diff): Same rationale — standard bundled neuroglancer React component; Function('return this') is a common CJS polyfill pattern. | ai | |
| source-diff | obfuscated-file:dist/index-DsWF_aiv.js | AI (source-diff): Vite-bundled output for neuroglancer React wrapper; long lines are minified bundle, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-CuSU8uy8.js | AI (source-diff): Vite-bundled output for a React visualization library; long lines are minified bundle, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-CexklRkL.js | AI (source-diff): Same rationale: Vite bundle of Neuroglancer viewer; Function('return this') is a standard CJS polyfill pattern. | ai | |
| source-diff | net-exec-file:dist/index-CuSU8uy8.js | AI (source-diff): Network calls and dynamic code in bundled React/Neuroglancer library are expected; no dropper pattern. | ai | |
| source-diff | net-exec-file:dist/index-DK1BA3pP.js | AI (source-diff): Network calls and dynamic code are part of the Neuroglancer visualization library's normal operation, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-C3H4HHzG.js | AI (source-diff): Same bundle context; Function('return this') is a standard CJS polyfill pattern, not malicious code execution. | ai | |
| source-diff | obfuscated-file:dist/index-DK1BA3pP.js | AI (source-diff): Vite-bundled output with long lines; code is readable React/Neuroglancer library, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/index-Bjp1TxpY.js | AI (source-diff): Vite-bundled output; long lines are minified JS, not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/index-Bjp1TxpY.js | AI (source-diff): Network calls and dynamic code (Function('return this')) are standard polyfill patterns in bundled visualization library, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-B3fUzgXA.js | AI (source-diff): Same pattern: bundled neuroglancer React wrapper with polyfills; not malicious. | ai | |
| source-diff | obfuscated-file:dist/index-BDIjPdOJ.js | AI (source-diff): Minified Vite bundle output; sample shows standard React/vitessce imports, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-BNZT4_8O.js | AI (source-diff): Neuroglancer React wrapper bundle; dynamic patterns are standard polyfill/module loading, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/index-BDIjPdOJ.js | AI (source-diff): Network calls and dynamic code in a visualization library bundle are expected; no malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/index-BNWANKfn.js | AI (source-diff): Vite-bundled output; long lines are minified JS, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/index-BNWANKfn.js | AI (source-diff): Network calls and dynamic code (Function('return this')) are standard polyfill patterns in bundled neuroglancer code, not malware. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-CfXWCAza.js | AI (source-diff): Same bundled neuroglancer pattern; Function('return this') is a global polyfill, not a dropper. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publisher with SLSA attestation is a legitimate supply chain improvement, not a compromise. | ai | |
| source-diff | obfuscated-file:dist/index-BEPd2Tds.js | AI (source-diff): Standard vite-bundled output for a React visualization library; not obfuscated, just minified. | ai | |
| source-diff | net-exec-file:dist/ReactNeuroglancer-pv4bM8Yp.js | AI (source-diff): ReactNeuroglancer bundle; Function('return this') is a standard CJS polyfill pattern, not a dropper. | ai | |
| source-diff | net-exec-file:dist/index-BEPd2Tds.js | AI (source-diff): Network calls and dynamic code are expected in a neuroglancer/React bundle; no malicious patterns in sample. | ai | |
| dependencies | unvetted-dep:@janelia-flyem/react-neuroglancer | AI (dependencies): Janelia FlyEM react-neuroglancer is the expected upstream dependency for this neuroglancer wrapper package; stable across versions. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common; publisher track record and repo URL are consistent across 54 versions. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established scoped package in active ecosystem; missing description is metadata-only. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Monorepo package; lodash-es may be used indirectly via build config or re-exports. | ai | |
| dependencies | unvetted-dep:@janelia-flyem/neuroglancer | AI (dependencies): Known Janelia Research Campus neuroglancer fork; expected dependency for this neuroglancer wrapper package. | ai | |
| phantom-deps | phantom-dep:@vitessce/utils | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic unreliable across monorepo boundaries. | ai | |
| phantom-deps | phantom-dep:@vitessce/tooltip | AI (phantom-deps): Declared as a runtime dependency in package.json; same-org sibling package, stable false positive. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 3.9.11 | 12 / 5 | |
| 3.9.10 | 12 / 5 | |
| 3.9.9 | 12 / 5 | |
| 3.9.8 | 12 / 5 | |
| 3.9.7 | 12 / 5 | |
| 3.9.2 | 11 / 5 | |
| 3.9.1 | 11 / 5 | |
| 3.9.0 | 11 / 5 | |
| 3.8.13 | 11 / 5 | |
| 3.8.10 | 11 / 5 | |
| 3.8.9 | 11 / 5 | |
| 3.8.8 | 11 / 5 | |
| 3.8.7 | 11 / 5 | |
| 3.8.6 | 11 / 5 | |
| 3.8.5 | 11 / 5 | |
| 3.8.4 | 11 / 5 | |
| 3.8.3 | 11 / 5 | |
| 3.8.2 | 11 / 5 | |
| 3.8.1 | 11 / 5 | |
| 3.8.0 | 11 / 5 | |
| 3.7.1 | 11 / 5 | |
| 3.6.18 | 10 / 6 | |
| 3.6.16 | 10 / 6 | |
| 3.6.15 | 10 / 6 | |
| 3.6.14 | 10 / 6 | |
| 3.6.13 | 10 / 6 | |
| 3.6.12 | 10 / 6 | |
| 3.6.11 | 10 / 6 | |
| 3.6.10 | 10 / 6 | |
| 3.6.9 | 10 / 6 | |
| 3.6.7 | 10 / 6 | |
| 3.6.6 | 10 / 6 | |
| 3.6.5 | 10 / 6 | |
| 3.6.4 | 10 / 6 | |
| 3.6.3 | 10 / 6 | |
| 3.6.2 | 10 / 6 | |
| 3.6.1 | 9 / 6 | |
| 3.5.12 | 5 / 5 |
v3.9.11
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.10
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.1
5 findingsThis version was published by a different npm account than previous versions on 2026-01-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.0
5 findingsThis version was published by a different npm account than previous versions on 2026-01-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.13
5 findingsThis version was published by a different npm account than previous versions on 2025-12-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.5
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.