@zuplo/runtime
This module contains the type definitions for the Zuplo Runtime.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:out/esm/browser-login-idp-SD2N5PY4.js | AI (source-diff): Standard minified ESM bundle with Zuplo copyright header; minification is expected for this runtime package. | ai | |
| source-diff | obfuscated-file:out/esm/browser-login-idp-HWMCSYMR.js | AI (source-diff): Standard minified ESM bundle with Zuplo copyright header; minification is expected for this runtime SDK. | ai | |
| source-diff | obfuscated-file:out/esm/browser-login-idp-QZEGTRKY.js | AI (source-diff): Minified ESM bundle output; Zuplo copyright header and standard imports confirm legitimate build artifact. | ai | |
| source-diff | obfuscated-file:out/esm/browser-login-idp-WT4H7RKW.js | AI (source-diff): Standard ESM bundle with Zuplo copyright header; minification is expected for this package's build output. | ai | |
| source-diff | obfuscated-file:out/esm/browser-login-idp-SQ4CJMPN.js | AI (source-diff): Minified ESM bundle with Zuplo copyright header; standard build output for this package. | ai | |
| source-diff | obfuscated-file:out/esm/browser-login-idp-U763HG2Z.js | AI (source-diff): Standard ESM bundle output from Zuplo's build pipeline; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:out/esm/browser-login-idp-NPHGGA54.js | AI (source-diff): Minified ESM bundle output from Zuplo's own build pipeline; consistent with all prior versions of this package. | ai | |
| phantom-deps | phantom-dep:@cfworker/json-schema | AI (phantom-deps): Bundled dependency pattern; phantom-dep heuristic fires on bundled packages consistently for this package. | ai | |
| source-diff | obfuscated-file:out/esm/browser-login-idp-HQB254PW.js | AI (source-diff): Standard minified ESM bundle with Zuplo copyright header; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:out/esm/mcp-gateway/index.js | AI (source-diff): Minified ESM bundle with Zuplo copyright header; consistent with this package's established build pattern. | ai | |
| source-diff | net-exec-file:out/esm/mcp-gateway/index.js | AI (source-diff): Network calls are expected in a gateway runtime; no evidence of dropper/loader behavior in the bundle. | ai | |
| phantom-deps | phantom-dep:@modelcontextprotocol/sdk | AI (phantom-deps): MCP SDK is bundled into the mcp-gateway chunk; phantom-dep heuristic fires because direct import is in the bundle, not top-level. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Package has 3050 versions and 8.1k weekly downloads; it is actively maintained by Zuplo, Inc. via GitHub Actions CI/CD. Dormancy signal is not indicative of takeover for this package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in minified ESM bundle output is a standard bundler pattern (esbuild/rollup), not obfuscation. Stable false positive for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 in this context is standard data handling (CSV, Azure SAS URLs). No malicious payload evidence. Stable false positive for this package. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): This is a runtime/gateway library; fetch calls in bundled output are expected for HTTP handling. Not exfiltration. Stable false positive. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql is a declared runtime dependency; phantom detection is a false positive for this framework package. | ai | |
| phantom-deps | phantom-dep:cookie | AI (phantom-deps): cookie is a declared runtime dependency; phantom detection is a false positive for this framework package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): uuid is a declared runtime dependency; phantom detection is a false positive for this framework package. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a declared runtime dependency of this API gateway framework; phantom detection is a false positive for conditional/indirect usage patterns. | ai | |
| phantom-deps | phantom-dep:bs58 | AI (phantom-deps): bs58 is a declared runtime dependency; phantom detection is a false positive for this framework package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established Zuplo platform runtime with 3050 versions and 8.1k weekly downloads; short README and no keywords are cosmetic, not indicative of spam. | ai | |
| phantom-deps | phantom-dep:path-to-regexp | AI (phantom-deps): path-to-regexp is a declared runtime dependency; phantom detection is a false positive for this framework package. | ai |
Versions (showing 51 of 548)
| Version | Deps | Published |
|---|---|---|
| 6.70.66 | 10 / 2 | |
| 6.70.63 | 10 / 2 | |
| 6.70.62 | 10 / 2 | |
| 6.70.61 | 10 / 2 | |
| 6.70.60 | 10 / 2 | |
| 6.70.59 | 10 / 2 | |
| 6.70.57 | 10 / 2 | |
| 6.70.56 | 10 / 2 | |
| 6.70.55 | 10 / 2 | |
| 6.70.54 | 10 / 2 | |
| 6.70.53 | 10 / 2 | |
| 6.70.51 | 10 / 2 | |
| 6.70.50 | 10 / 2 | |
| 6.70.49 | 10 / 2 | |
| 6.70.48 | 10 / 2 | |
| 6.70.47 | 10 / 2 | |
| 6.70.46 | 10 / 2 | |
| 6.70.45 | 10 / 2 | |
| 6.70.44 | 10 / 2 | |
| 6.70.43 | 10 / 2 | |
| 6.70.42 | 10 / 2 | |
| 6.70.41 | 10 / 2 | |
| 6.70.40 | 10 / 2 | |
| 6.70.39 | 10 / 2 | |
| 6.70.37 | 10 / 2 | |
| 6.70.36 | 10 / 2 | |
| 6.70.35 | 10 / 2 | |
| 6.70.34 | 10 / 2 | |
| 6.70.33 | 10 / 2 | |
| 6.70.32 | 10 / 2 | |
| 6.70.31 | 10 / 2 | |
| 6.70.30 | 10 / 2 | |
| 6.70.29 | 10 / 2 | |
| 6.70.28 | 10 / 2 | |
| 6.70.27 | 10 / 2 | |
| 6.70.26 | 10 / 2 | |
| 6.70.25 | 10 / 2 | |
| 6.70.24 | 10 / 2 | |
| 6.70.23 | 10 / 2 | |
| 6.70.22 | 10 / 2 | |
| 6.70.21 | 10 / 2 | |
| 6.70.16 | 9 / 2 | |
| 6.70.15 | 9 / 2 | |
| 6.70.14 | 9 / 2 | |
| 6.70.13 | 9 / 2 | |
| 6.70.12 | 9 / 2 | |
| 6.70.10 | 9 / 2 | |
| 6.70.9 | 9 / 2 | |
| 6.70.8 | 9 / 2 | |
| 6.70.7 | 9 / 2 | |
| 6.70.6 | 9 / 2 |
v6.70.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.59
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.56
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.54
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.53
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.51
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.50
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.49
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.48
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.47
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.46
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.45
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.44
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.43
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.42
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.41
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.40
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.39
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.37
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.36
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.35
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.34
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.33
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.32
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.31
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.30
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.29
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.28
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.27
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.26
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.25
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.24
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.23
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.21
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.16
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.15
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.14
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.13
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.70.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.