@weapp-vite/dashboard — Greenflagged

Optional analyze dashboard for weapp-vite

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

icebreaker

Keywords

weapp-viteanalyzedashboard

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publishing is confirmed by SLSA provenance attestation; stable pattern for this package.	ai	2026/06/05
source-diff	obfuscated-file:dist/assets/activity.js	AI (source-diff): Vite-bundled ES module output; long lines are minified Vue component code, not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:dist/assets/tokens.js	AI (source-diff): Vite-bundled ES module output; long lines are minified Vue component code, not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:dist/assets/AppStatCard.js	AI (source-diff): Vite-bundled ES module output; long lines are minified Vue component code, not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:dist/assets/analyze.js	AI (source-diff): Vite-bundled ES module output; long lines are minified Vue component code, not obfuscation.	ai	2026/06/05
source-diff	obfuscated-file:dist/assets/ts.worker-B0J26iPs.js	AI (source-diff): Monaco Editor TypeScript worker bundle — expected large minified artifact for this dashboard package.	ai	2026/06/04
source-diff	net-exec-file:dist/assets/ts.worker-B0J26iPs.js	AI (source-diff): Monaco TS worker legitimately uses network (LSP) and eval-like patterns; stable false positive for this package.	ai	2026/06/04
source-diff	obfuscated-file:dist/assets/shell.js	AI (source-diff): Minified dashboard shell bundle (Vue components); expected build output for this dashboard package.	ai	2026/06/03
source-diff	net-exec-file:dist/assets/ts.worker-Dth06zuC.js	AI (source-diff): Monaco TS worker legitimately uses network (fetch for type definitions) and dynamic execution; standard behavior for this library.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/ts.worker-Dth06zuC.js	AI (source-diff): Standard minified Monaco Editor TypeScript worker bundle; not obfuscated malware.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/editor.worker-Bd9IXS8d.js	AI (source-diff): Minified Monaco Editor editor worker bundle; expected artifact of monaco-editor dependency.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/css.worker-Wv5dxAWO.js	AI (source-diff): Minified Monaco Editor CSS worker bundle; expected artifact of monaco-editor dependency.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/html.worker-CQP8QQsS.js	AI (source-diff): Minified Monaco Editor HTML worker bundle; expected artifact of monaco-editor dependency.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/json.worker-DzV-CpCQ.js	AI (source-diff): Minified Monaco Editor JSON worker bundle; expected artifact of monaco-editor dependency.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/ts.worker-METxwbDZ.js	AI (source-diff): Minified Monaco Editor TypeScript worker bundle; expected artifact of monaco-editor dependency.	ai	2026/06/02
source-diff	net-exec-file:dist/assets/ts.worker-METxwbDZ.js	AI (source-diff): Monaco TS worker uses dynamic code execution for TypeScript language service; standard Monaco behavior, not malware.	ai	2026/06/02
source-diff	source-size-tripled	AI (source-diff): Size increase fully explained by bundling monaco-editor (~13MB) into the dashboard dist.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/vendor.js	AI (source-diff): Vite-bundled minified output of UI libraries; not malicious obfuscation. Stable pattern for this dashboard package.	ai	2026/06/02
source-diff	obfuscated-file:dist/assets/css.worker-CvXBzhp8.js	AI (source-diff): Standard minified Monaco Editor CSS worker; not obfuscated malware.	ai	2026/06/01
source-diff	obfuscated-file:dist/assets/monaco.js	AI (source-diff): Standard minified Monaco Editor bundle; not obfuscated malware.	ai	2026/06/01
source-diff	obfuscated-file:dist/assets/json.worker-BkJRGcCJ.js	AI (source-diff): Standard minified Monaco Editor JSON worker; not obfuscated malware.	ai	2026/06/01
source-diff	obfuscated-file:dist/assets/html.worker-BO6WuOEO.js	AI (source-diff): Standard minified Monaco Editor HTML worker; not obfuscated malware.	ai	2026/06/01
source-diff	net-exec-file:dist/assets/ts.worker-B6r0Skfj.js	AI (source-diff): Monaco TS worker legitimately uses network (fetch for type definitions) and dynamic code execution; standard editor behavior.	ai	2026/06/01
phantom-deps	phantom-dep:monaco-editor	AI (phantom-deps): monaco-editor is bundled into dist assets; not directly imported in source but legitimately declared as a dependency.	ai	2026/06/01
source-diff	obfuscated-file:dist/assets/editor.worker-Cn2oRESe.js	AI (source-diff): Standard minified Monaco Editor worker; not obfuscated malware.	ai	2026/06/01
source-diff	obfuscated-file:dist/assets/ts.worker-B6r0Skfj.js	AI (source-diff): Standard minified Monaco Editor TypeScript worker; not obfuscated malware.	ai	2026/06/01
source-diff	obfuscated-file:dist/assets/useDashboardWorkspace.js	AI (source-diff): Standard Vite minified bundle output for a Vue dashboard; readable logic, no obfuscation indicators.	ai	2026/05/31
phantom-deps	phantom-dep:tailwind-merge	AI (phantom-deps): Runtime dependency; referenced in config and build context, not direct imports.	ai	2026/04/29
phantom-deps	phantom-dep:vue-router	AI (phantom-deps): Runtime dependency; referenced in config and build context, not direct imports.	ai	2026/04/29
phantom-deps	phantom-dep:echarts	AI (phantom-deps): Runtime dependency; referenced in config and build context, not direct imports.	ai	2026/04/29
phantom-deps	phantom-dep:tailwind-variants	AI (phantom-deps): Runtime dependency; referenced in config and build context, not direct imports.	ai	2026/04/29
phantom-deps	phantom-dep:vue	AI (phantom-deps): Runtime dependency; referenced in config and build context, not direct imports.	ai	2026/04/29

Versions (showing 51 of 80)

View all versions

Version	Deps	Published
6.16.40	6 / 8	2026-06-04
6.16.37	6 / 8	2026-06-03
6.16.35	6 / 8	2026-06-03
6.16.34	6 / 8	2026-06-02
6.16.33	6 / 8	2026-06-02
6.16.32	6 / 8	2026-06-01
6.16.31	6 / 8	2026-05-31
6.16.30	6 / 8	2026-05-30
6.16.29	6 / 8	2026-05-30
6.16.28	6 / 8	2026-05-29
6.16.27	6 / 8	2026-05-28
6.16.26	6 / 8	2026-05-27
6.16.25	6 / 8	2026-05-27
6.16.24	6 / 8	2026-05-25
6.16.23	6 / 8	2026-05-24
6.16.22	6 / 8	2026-05-24
6.16.21	6 / 8	2026-05-23
6.16.20	6 / 8	2026-05-22
6.16.19	6 / 8	2026-05-21
6.16.18	6 / 8	2026-05-19
6.16.17	6 / 8	2026-05-19
6.16.16	6 / 8	2026-05-18
6.16.15	6 / 8	2026-05-17
6.16.14	6 / 8	2026-05-14
6.16.13	6 / 8	2026-05-14
6.16.12	6 / 8	2026-05-12
6.16.11	6 / 8	2026-05-12
6.16.10	6 / 8	2026-05-11
6.16.9	6 / 8	2026-05-11
6.16.8	6 / 8	2026-05-09
6.16.7	6 / 8	2026-05-07
6.16.6	6 / 8	2026-05-07
6.16.5	6 / 8	2026-05-07
6.16.4	6 / 8	2026-05-06
6.16.3	6 / 8	2026-05-04
6.16.2	6 / 8	2026-05-03
6.16.1	5 / 7	2026-04-29
6.16.0	5 / 7	2026-04-29
6.15.18	5 / 7	2026-04-28
6.15.17	5 / 7	2026-04-26
6.15.16	5 / 7	2026-04-26
6.15.15	5 / 7	2026-04-26
6.15.14	5 / 7	2026-04-23
6.15.13	5 / 7	2026-04-21
6.15.12	5 / 7	2026-04-21
6.15.11	5 / 7	2026-04-21
6.15.10	5 / 7	2026-04-20
6.15.8	5 / 7	2026-04-18
6.15.7	5 / 7	2026-04-18
6.15.6	5 / 7	2026-04-15
6.15.5	5 / 7	2026-04-15

v6.16.40

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.37

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.35

3 findings

HIGH New obfuscated file: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.34

3 findings

HIGH New obfuscated file: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.33

3 findings

HIGH New obfuscated file: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.32

3 findings

HIGH New obfuscated file: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.31

8 findings

HIGH New obfuscated file: dist/assets/css.worker-CvXBzhp8.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/assets/editor.worker-Cn2oRESe.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/assets/html.worker-BO6WuOEO.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/assets/json.worker-BkJRGcCJ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/assets/monaco.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/assets/ts.worker-B0J26iPs.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.30