@zenuml/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/lsp/main.js | AI (source-diff): Vite-bundled LSP server; long lines are from bundling, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/lsp/zenuml-server.worker.js | AI (source-diff): LSP worker bundle; network + exec patterns are standard LSP plumbing. | ai | |
| source-diff | net-exec-file:dist/lsp/main.js | AI (source-diff): LSP server legitimately uses net/child_process Node built-ins. | ai | |
| source-diff | obfuscated-file:dist/lsp/zenuml-server.worker.js | AI (source-diff): Vite-bundled LSP worker; long lines are from bundling, not obfuscation. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:jotai | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:color-string | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:highlight.js | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:html-to-image | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:@headlessui/react | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:@floating-ui/react | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:@headlessui/tailwindcss | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:class-variance-authority | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| source-diff | obfuscated-file:dist/cli/zenuml.mjs | AI (source-diff): Vite-bundled CLI with ANTLR serialized ATN; long lines are parser data, not obfuscation. | ai | |
| phantom-deps | phantom-dep:clsx | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:immer | AI (phantom-deps): Bundled into dist; referenced in config/build but not direct source imports. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled library; deps consumed via dist build rather than direct imports detectable by static analysis. | ai | |
| phantom-deps | phantom-dep:antlr4 | AI (phantom-deps): Bundled library pattern; antlr4 is used in generated parser code bundled into dist. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Bundled library pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): Bundled library pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): Used via postcss config and bundled build; stable false positive for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in a dev-only snapshot script, not in published library code. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is used to process screenshot image data in a dev analysis script, not to hide payloads. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 (localhost) in playwright.config.ts for local test server — not a network exfiltration risk. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in .kiro/hooks dev tooling (IDE sound notification), not in published library code. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @zenuml/core is a scoped package for a sequence diagram library, not a typosquat of cors. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 3.50.0 | 15 / 46 | |
| 3.49.6 | 15 / 43 | |
| 3.49.5 | 15 / 43 | |
| 3.49.4 | 20 / 41 | |
| 3.49.3 | 20 / 41 | |
| 3.49.2 | 20 / 41 | |
| 3.49.1 | 20 / 41 | |
| 3.49.0 | 20 / 41 | |
| 3.48.3 | 20 / 41 | |
| 3.48.2 | 20 / 41 | |
| 3.48.1 | 21 / 40 | |
| 3.48.0 | 20 / 42 | |
| 3.47.9 | 20 / 41 | |
| 3.47.8 | 20 / 41 | |
| 3.47.7 | 20 / 41 | |
| 3.47.6 | 20 / 41 | |
| 3.47.5 | 20 / 43 | |
| 3.47.4 | 20 / 43 | |
| 3.47.3 | 20 / 43 | |
| 3.47.2 | 20 / 43 | |
| 3.47.1 | 20 / 43 |
v3.50.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.3
2 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.2
2 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.1
2 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.0
2 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.9
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/e3f93e0eb65d23fa3520e8691a5bca883853aa4b/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.8
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/c81406671c0833baebb9fac08a0cbcdc99b3907d/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.7
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/bbeb24ac469207cda20b09d72ddc65d203b6fe51/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.6
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/55fd4f771ef9ac62ae185192d916eb9b6073ba1d/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.5
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/cea68b3f41e971c4d93b21b01e0cfd9481c3aefe/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.4
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/1c05de6181fc02e6f0fe3e45f42228caeb1fccc8/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.3
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/c6f893ba6975309d864413aa9f5b363aa905f46d/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.1
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/9010c4b6cd8fa7d06ad5a598cac487f531aba9c5/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.