@wix/image
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/statics/janet/main.52ccb40c.iframe.bundle.js | AI (source-diff): Standard webpack/janet-build bundle output; Wix CI publisher with strong track record. | ai | |
| source-diff | net-exec-file:dist/statics/janet/main.52ccb40c.iframe.bundle.js | AI (source-diff): Network+exec pattern in a webpack bundle is expected for a Wix iframe component; not dropper behavior. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a declared runtime dependency used implicitly by TypeScript compilation output. | ai | |
| source-diff | net-exec-file:dist/statics/janet/main.8862e441.iframe.bundle.js | AI (source-diff): Network+exec pattern is expected in a webpack iframe bundle for a UI component; no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/statics/janet/main.8862e441.iframe.bundle.js | AI (source-diff): Standard webpack bundle produced by janet-build; long lines are minified output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/statics/janet/main.cf1e1edc.iframe.bundle.js | AI (source-diff): Standard webpack/janet-build output with source map; minified but not obfuscated, consistent with Wix build toolchain. | ai | |
| source-diff | net-exec-file:dist/statics/janet/main.cf1e1edc.iframe.bundle.js | AI (source-diff): Network+exec pattern is expected in a UI component bundle (iframe storybook/preview); no dropper indicators in the readable sample. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 1.451.0 | 4 / 19 | |
| 1.450.0 | 4 / 19 | |
| 1.449.0 | 4 / 19 | |
| 1.448.0 | 4 / 19 |
v1.451.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.450.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.449.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.448.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.