@vue-skuilder/standalone-ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/assets/common-ui.es-_Nay4Hg9.js | AI (source-diff): Network calls and dynamic imports are normal Vite lazy-loading patterns in this UI bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-_Nay4Hg9.js | AI (source-diff): Standard Vite minified bundle output for this package; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-lmLOFur1.js | AI (source-diff): Standard Vite entry bundle with modulepreload polyfill; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/assets/dist-DHzymw-6.js | AI (source-diff): Network + dynamic code patterns are Vite bundle artifacts, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-DHzymw-6.js | AI (source-diff): Standard Vite minified bundle; sample shows spark-md5 and known library code. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-BLg_8nr-.js | AI (source-diff): Network calls are vue-router fetch/preload polyfills; dynamic code is module loading, not malware. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-BLg_8nr-.js | AI (source-diff): Standard Vite minified bundle output for a Vue UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BUyUeqxf.js | AI (source-diff): Vite webapp entry bundle; minification is expected for this package type. | ai | |
| source-diff | net-exec-file:dist/assets/dist-Dw3a5Op4.js | AI (source-diff): Same bundle; network/exec pattern is module loading infrastructure, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-Dw3a5Op4.js | AI (source-diff): Standard Vite minified bundle; identifiable as spark-md5 and project-specific exports. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-Bh7QiFa1.js | AI (source-diff): Network calls and dynamic imports are normal Vue SPA routing patterns (vue-router lazy loading). | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-Bh7QiFa1.js | AI (source-diff): Standard Vite minified bundle output; readable identifiers confirm legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BOK-JsV6.js | AI (source-diff): Standard Vite minified entry bundle with __vite__mapDeps; legitimate build artifact. | ai | |
| source-diff | net-exec-file:dist/assets/dist--Dpfoemh.js | AI (source-diff): Network/dynamic patterns are standard bundled library code, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/dist--Dpfoemh.js | AI (source-diff): Standard Vite minified bundle; spark-md5 and other readable identifiers confirm legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-5H45bc-8.js | AI (source-diff): Vite entry bundle with modulepreload polyfill; standard SPA build artifact. | ai | |
| source-diff | net-exec-file:dist/assets/dist-B6gIbmvQ.js | AI (source-diff): Same Vite bundle pattern; dynamic code execution is AMD/CJS interop shim, not malicious loader. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-B6gIbmvQ.js | AI (source-diff): Standard Vite-minified bundle; contains spark-md5 and project-specific exports, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-B6UqZKxa.js | AI (source-diff): Standard Vite-minified bundle output for a Vue SPA; source maps present, content is recognizable Vue/router code. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-B6UqZKxa.js | AI (source-diff): Network calls and dynamic imports are Vite lazy-loading patterns, not dropper behavior. | ai | |
| phantom-deps | phantom-dep:@vue-skuilder/courseware | AI (phantom-deps): Same-org monorepo dep bundled into dist output. | ai | |
| phantom-deps | phantom-dep:@vue-skuilder/common-ui | AI (phantom-deps): Same-org monorepo dep bundled into dist output. | ai | |
| phantom-deps | phantom-dep:@vue-skuilder/common | AI (phantom-deps): Same-org monorepo dep bundled into dist output. | ai | |
| phantom-deps | phantom-dep:@vue-skuilder/db | AI (phantom-deps): Same-org monorepo dep bundled into dist output. | ai | |
| phantom-deps | phantom-dep:vue-router | AI (phantom-deps): Bundled into dist; router code visible in samples. | ai | |
| phantom-deps | phantom-dep:@mdi/font | AI (phantom-deps): Icon font asset dep; referenced in Vite config not source imports. | ai | |
| phantom-deps | phantom-dep:vuetify | AI (phantom-deps): UI framework bundled into dist; declared as dep for consumers. | ai | |
| phantom-deps | phantom-dep:events | AI (phantom-deps): Node events polyfill used via Vite config, not direct import. | ai | |
| phantom-deps | phantom-dep:pinia | AI (phantom-deps): Vue ecosystem peer dep bundled into dist; not directly imported in source but legitimately declared. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Di-iurxs.js | AI (source-diff): Standard Vite minified bundle output for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-Dli7wjjJ.js | AI (source-diff): Vite webapp bundle; network calls are application-level API calls. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-Dli7wjjJ.js | AI (source-diff): Standard Vite minified bundle output for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-BoYWClge.js | AI (source-diff): Standard Vite minified bundle output for this UI package. | ai | |
| source-diff | net-exec-file:dist/assets/dist-BoYWClge.js | AI (source-diff): Vite webapp bundle; network calls are application-level API calls. | ai | |
| source-diff | net-exec-file:dist/assets/dist-CglDOuwn.js | AI (source-diff): Vite webapp bundle; network calls are application-level API calls, not malware. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-CIp6hqfh.js | AI (source-diff): Standard Vite minified bundle output for a Vue UI library. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-CglDOuwn.js | AI (source-diff): Standard Vite minified bundle output for a Vue UI library. | ai | |
| source-diff | obfuscated-file:dist/assets/index-rJK7G7mT.js | AI (source-diff): Standard Vite minified bundle output for a Vue UI library. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-CIp6hqfh.js | AI (source-diff): Vite webapp bundle; network calls are application-level API calls, not malware. | ai | |
| source-diff | net-exec-file:dist/assets/dist-BcZ1gsNX.js | AI (source-diff): Vite bundle; same pattern. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-DfgaTZ4z.js | AI (source-diff): Same as dist-lib counterpart; Vite dynamic imports + Vue compiler. | ai | |
| source-diff | net-exec-file:dist-lib/dist-BP0_sJdJ.js | AI (source-diff): eval('require') is a standard Node env-detection pattern; network calls are PouchDB/fetch; not malicious. | ai | |
| source-diff | net-exec-file:dist-lib/common-ui.es-B8Tew0sr.js | AI (source-diff): Network calls are Vue dynamic imports (__vite__mapDeps); exec is Vue compiler; no dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/index-e8XolFvR.js | AI (source-diff): Vite bundle; same pattern as other dist assets. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-BcZ1gsNX.js | AI (source-diff): Vite bundle; same pattern as other dist assets. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-DfgaTZ4z.js | AI (source-diff): Vite-minified common-ui bundle with vue-router; standard build output. | ai | |
| source-diff | obfuscated-file:dist-lib/dist-BP0_sJdJ.js | AI (source-diff): Vite bundle of @vue-skuilder/db and spark-md5; recognizable OSS code. | ai | |
| source-diff | net-exec-file:dist-lib/questions.mjs | AI (source-diff): Network calls are app API patterns in minified ESM library build. | ai | |
| source-diff | obfuscated-file:dist-lib/questions.mjs | AI (source-diff): Rolldown ESM library build; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CgJHLYRy.js | AI (source-diff): Minified Vite bundle; consistent with this package's build output. | ai | |
| source-diff | net-exec-file:dist/assets/dist-D0Pw05KO.js | AI (source-diff): Network calls are standard app API calls in minified bundle. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-D0Pw05KO.js | AI (source-diff): Minified Vite bundle with spark-md5 and app logic; no malicious indicators. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-DQVvqecz.js | AI (source-diff): Network calls are Vue Router/fetch patterns in minified bundle; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-DQVvqecz.js | AI (source-diff): Standard Vite minified bundle output; stable pattern for this UI package. | ai | |
| source-diff | obfuscated-file:dist-lib/MarkdownRenderer-DoVbFpA6-BjR5e6Al.js | AI (source-diff): Standard Vite/Vue bundled output; minification is expected for this build-output package. | ai | |
| source-diff | net-exec-file:dist-lib/common-ui.es-BndKNv1Z.js | AI (source-diff): Vite-bundled Vue app; network calls are fetch/XHR in Vue router/component code, not dropper behavior. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get in Vue reactivity proxy handlers; standard Vue 3 internals pattern. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval('require') is a standard esbuild/Vite CJS shim for Node.js fs detection; not user-controlled. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 22 new files are Vite build artifacts from newly added build:lib and build:webapp scripts. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Package now ships full Vite dist; size jump is structural, not injection. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C6NB1IPv.js | AI (source-diff): Minified Vite webapp entry; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-DCANvFNh.js | AI (source-diff): Minified Vite bundle; expected build artifact. | ai | |
| source-diff | net-exec-file:dist/assets/dist-BC_KquM-.js | AI (source-diff): Same Vite bundle pattern; no malicious network behavior identified. | ai | |
| source-diff | obfuscated-file:dist/assets/dist-BC_KquM-.js | AI (source-diff): Minified Vite bundle; expected build artifact. | ai | |
| source-diff | net-exec-file:dist/assets/common-ui.es-DxZNthuJ.js | AI (source-diff): Dynamic imports via __vite__mapDeps are standard Vite lazy-loading, not malware. | ai | |
| source-diff | obfuscated-file:dist/assets/common-ui.es-DxZNthuJ.js | AI (source-diff): Minified Vite webapp asset with vue-router and component code; expected. | ai | |
| source-diff | obfuscated-file:dist/assets/MarkdownRenderer-DoVbFpA6-DYVMsbBP.js | AI (source-diff): Minified Vite webapp asset; same Vue compiler code as lib build. | ai | |
| source-diff | net-exec-file:dist-lib/questions.cjs.js | AI (source-diff): CJS bundle entry point; inline font data and standard Vue component code, not dropper. | ai | |
| source-diff | net-exec-file:dist-lib/dist-D3TZHmH5.js | AI (source-diff): eval('require') pattern is a known Vite/esbuild CJS shim for Node detection; not malicious. | ai | |
| source-diff | obfuscated-file:dist-lib/dist-D3TZHmH5.js | AI (source-diff): Minified Vite bundle of open-source deps (spark-md5, etc.); expected for this package. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 0.2.4 | 10 / 9 | |
| 0.2.3 | 10 / 9 | |
| 0.2.2 | 10 / 9 | |
| 0.2.1 | 10 / 9 | |
| 0.2.0 | 10 / 9 | |
| 0.1.40 | 10 / 9 | |
| 0.1.39 | 10 / 9 | |
| 0.1.38 | 10 / 9 | |
| 0.1.36 | 10 / 9 | |
| 0.1.35 | 10 / 9 | |
| 0.1.1 | 7 / 7 |
v0.2.4
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.40
11 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.39
11 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.38
11 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.36
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.35
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.