ckeditor5-collaboration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:obfuscation-hex-functions | AI (semgrep): CKEditor5 commercial collaboration packages intentionally ship obfuscated code to protect proprietary IP; package.json explicitly declares 'obfuscated': true. Stable pattern for this package. | ai | |
| semgrep | semgrep:obfuscation-while-true | AI (semgrep): Same intentional obfuscation as above; while(!![]) is a known artifact of javascript-obfuscator used by CKSource for commercial plugin protection. | ai | |
| provenance | no-provenance | AI (provenance): Established CKEditor publisher with long track record; lack of Sigstore provenance is common and not a disqualifier here. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 47.7.2 | 1 / 0 | |
| 47.7.1 | 1 / 0 | |
| 47.7.0 | 1 / 0 | |
| 47.6.2 | 1 / 0 | |
| 47.6.1 | 1 / 0 | |
| 47.6.0 | 1 / 0 | |
| 47.5.0 | 1 / 0 | |
| 47.4.0 | 1 / 0 | |
| 47.3.0 | 1 / 0 | |
| 47.2.0 | 1 / 0 | |
| 47.1.0 | 1 / 0 | |
| 47.0.0 | 1 / 0 |
v47.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.7.1
7 findingswhile(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | (function(_0x1d492f,_0x3097bb){var _0xa0092d=_0x4bc4,_0x59f4d6=_0x1d492f();while(!![]){try{var _0x51f264=parseInt(_0xa00
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x1d492f,_0x3097bb){var _0xa0092d=_0x4bc4,_0x59f4d6=_0x1d492f();while(!![]){try{var _0x51f264=parseInt(_0xa00
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x1d492f,_0x3097bb){var _0xa0092d=_0x4bc4,_0x59f4d6=_0x1d492f();while(!![]){try{var _0x51f264=parseInt(_0xa00
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x2819(){var _0x14f7d1=['99645CngjiI','13275jAUFSI','246961CqlrnF','8477910PdGwdo','4384rlfKMT','850296nxQKbk'
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x2819(){var _0x14f7d1=['99645CngjiI','13275jAUFSI','246961CqlrnF','8477910PdGwdo','4384rlfKMT','850296nxQKbk'
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | function _0x2819(){var _0x14f7d1=['99645CngjiI','13275jAUFSI','246961CqlrnF','8477910PdGwdo','4384rlfKMT','850296nxQKbk'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.7.0
7 findingsHex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x1280(){var _0x126d22=['8960eAiFvR','2934fNsFTD','118394HdhFvg','6hsskXn','997505EIOfFE','7175718PIkuqv','208
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | function _0x1280(){var _0x126d22=['8960eAiFvR','2934fNsFTD','118394HdhFvg','6hsskXn','997505EIOfFE','7175718PIkuqv','208
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x1280(){var _0x126d22=['8960eAiFvR','2934fNsFTD','118394HdhFvg','6hsskXn','997505EIOfFE','7175718PIkuqv','208
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | (function(_0x44b907,_0x4803ac){var _0x45d7d8=_0x170e,_0x186064=_0x44b907();while(!![]){try{var _0x4fd6d1=-parseInt(_0x45
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x44b907,_0x4803ac){var _0x45d7d8=_0x170e,_0x186064=_0x44b907();while(!![]){try{var _0x4fd6d1=-parseInt(_0x45
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x44b907,_0x4803ac){var _0x45d7d8=_0x170e,_0x186064=_0x44b907();while(!![]){try{var _0x4fd6d1=-parseInt(_0x45
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.6.2
7 findingswhile(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | (function(_0x5c5ef5,_0x5611e4){var _0x3a8464=_0x241e,_0x51051b=_0x5c5ef5();while(!![]){try{var _0x498ecc=-parseInt(_0x3a
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x5c5ef5,_0x5611e4){var _0x3a8464=_0x241e,_0x51051b=_0x5c5ef5();while(!![]){try{var _0x498ecc=-parseInt(_0x3a
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x5c5ef5,_0x5611e4){var _0x3a8464=_0x241e,_0x51051b=_0x5c5ef5();while(!![]){try{var _0x498ecc=-parseInt(_0x3a
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x47ab(){var _0x5c9ebd=['7kRgsHr','11047100hwoePi','40MIltDS','86517QMLJOY','4213266LFAunS','248TCJDXa','50493
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | function _0x47ab(){var _0x5c9ebd=['7kRgsHr','11047100hwoePi','40MIltDS','86517QMLJOY','4213266LFAunS','248TCJDXa','50493
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x47ab(){var _0x5c9ebd=['7kRgsHr','11047100hwoePi','40MIltDS','86517QMLJOY','4213266LFAunS','248TCJDXa','50493
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.6.0
7 findingsHex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x1ddd(){var _0x27d8a6=['614205AblaBt','368Jwshcu','54BisvGY','358296WXoNmu','10DTuuFo','257PDploF','489956KOq
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x1ddd(){var _0x27d8a6=['614205AblaBt','368Jwshcu','54BisvGY','358296WXoNmu','10DTuuFo','257PDploF','489956KOq
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | function _0x1ddd(){var _0x27d8a6=['614205AblaBt','368Jwshcu','54BisvGY','358296WXoNmu','10DTuuFo','257PDploF','489956KOq
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | (function(_0x6c94f6,_0x266ac1){var _0x480c6a=_0x4d27,_0x4b9a5a=_0x6c94f6();while(!![]){try{var _0x28c231=-parseInt(_0x48
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x6c94f6,_0x266ac1){var _0x480c6a=_0x4d27,_0x4b9a5a=_0x6c94f6();while(!![]){try{var _0x28c231=-parseInt(_0x48
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x6c94f6,_0x266ac1){var _0x480c6a=_0x4d27,_0x4b9a5a=_0x6c94f6();while(!![]){try{var _0x28c231=-parseInt(_0x48
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.