@workflow/web
Workflow Observability UI
Supply chain provenance
Status for the latest visible version.
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/server/assets/server-build-BBm5-YMr.js | AI (source-diff): SSR server bundle with network + dynamic code; expected for React Router server build. | ai | |
| source-diff | obfuscated-file:build/server/assets/server-build-BBm5-YMr.js | AI (source-diff): Vite SSR server bundle; standard minified build output for this web UI package. | ai | |
| source-diff | obfuscated-file:build/client/assets/mermaid-3ZIDBTTL-CjHrXABH.js | AI (source-diff): Vite-bundled mermaid chart library; minified build output, not obfuscation. | ai | |
| source-diff | net-exec-file:build/server/assets/server-build-JwomDvSn.js | AI (source-diff): Server-side React Router bundle; network + dynamic code is expected. | ai | |
| source-diff | net-exec-file:build/client/assets/mermaid-3ZIDBTTL-CjHrXABH.js | AI (source-diff): Client-side React bundle with fetch + dynamic import; normal for SPA. | ai | |
| source-diff | obfuscated-file:build/server/assets/server-build-JwomDvSn.js | AI (source-diff): Vite/React Router server build bundle; minified output is expected. | ai | |
| source-diff | net-exec-file:build/client/assets/mermaid-3ZIDBTTL-Cr7OQX4b.js | AI (source-diff): Client-side React bundle with dynamic imports; not malicious network+exec. | ai | |
| source-diff | obfuscated-file:build/client/assets/mermaid-3ZIDBTTL-Cr7OQX4b.js | AI (source-diff): Vite-bundled mermaid chart library; standard minified build output. | ai | |
| source-diff | obfuscated-file:build/server/assets/server-build-DBNmVwSJ.js | AI (source-diff): Vite SSR server bundle; standard minified build output. | ai | |
| source-diff | net-exec-file:build/server/assets/server-build-DBNmVwSJ.js | AI (source-diff): SSR server bundle with HTTP handling; expected for a web app server build. | ai | |
| source-diff | obfuscated-file:build/client/assets/mermaid-3ZIDBTTL-BE1h5qUK.js | AI (source-diff): Standard Vite-minified client bundle; mermaid is a declared devDep, content is recognizable React/Mermaid code. | ai | |
| source-diff | net-exec-file:build/server/assets/server-build-DiegzHGY.js | AI (source-diff): Network+exec pattern in SSR bundle is expected for a React Router server; no malicious indicators in samples. | ai | |
| source-diff | obfuscated-file:build/server/assets/server-build-DiegzHGY.js | AI (source-diff): Standard Vite/React Router SSR server bundle; content matches declared deps (minimatch, react-router, etc.). | ai | |
| source-diff | net-exec-file:build/client/assets/mermaid-3ZIDBTTL-BE1h5qUK.js | AI (source-diff): Network+exec pattern in a browser UI bundle is expected; no actual dropper behavior in samples. | ai | |
| source-diff | obfuscated-file:build/client/assets/mermaid-3ZIDBTTL-B_qZU5zW.js | AI (source-diff): Standard Vite-minified client bundle; mermaid + Radix UI code visible in sample, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:build/client/assets/mermaid-3ZIDBTTL-B_qZU5zW.js | AI (source-diff): Network + eval pattern in a browser-side mermaid/React bundle is expected; no dropper behavior in sample. | ai | |
| source-diff | net-exec-file:build/server/assets/server-build-UvQ8ujzE.js | AI (source-diff): Server-side SSR bundle with network calls is expected for a React Router express server package. | ai | |
| source-diff | obfuscated-file:build/server/assets/server-build-UvQ8ujzE.js | AI (source-diff): Standard Vite SSR server bundle; React Router, minimatch, and React imports visible in sample. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 4.1.9 | 1 / 47 | |
| 4.1.8 | 1 / 47 | |
| 4.1.7 | 1 / 47 | |
| 4.1.6 | 1 / 47 | |
| 4.1.5 | 1 / 47 | |
| 4.1.4 | 1 / 47 | |
| 4.1.1 | 1 / 47 | |
| 4.1.0 | 1 / 47 |
v4.1.9
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.8
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.7
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.6
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.4
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.