← Home

homebridge-config-ui-x

npm Repository Homepage
3
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

oznunorthernmansuperegkhaostebaauwdustin.greifnfarinabwp91

Keywords

homebridge-pluginuiguiwebhomebridgehomebridge-config-ui-xui-xconfig-ui-xhomebridge-xhomebridge serverhomebridge uihomebridge-uihomebridge guihomebridge-guiweb interfaceconfig uimanagementconfig editorlinuxmacOSosxwindowsraspberry piaccessory controlsmart homehb-service

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:public/chunk-6RX3XE55.js AI (source-diff): Angular/ajv frontend bundle; network+exec pattern is standard UI framework code, not malware. ai
source-diff net-exec-file:public/chunk-GAHGBZ7U.js AI (source-diff): engine.io/Socket.IO client bundle; network+exec pattern is standard WebSocket client code, not malware. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() in Angular framework bundle; standard Angular DI pattern, not obfuscation. ai
phantom-deps phantom-dep:@fastify/static AI (phantom-deps): Fastify plugin registered via config, not direct import pattern. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires inside bundled Monaco editor (vs/loader.js); standard pattern in that well-known editor component. ai
phantom-deps phantom-dep:@nestjs/platform-socket.io AI (phantom-deps): NestJS platform adapter registered via config, not direct import. ai
phantom-deps phantom-dep:class-transformer AI (phantom-deps): NestJS serialization dependency used via decorators, not direct import. ai
semgrep semgrep:dynamic-require AI (semgrep): Used in build script to introspect plugin entry points; not runtime user-controlled input. ai
phantom-deps phantom-dep:passport AI (phantom-deps): NestJS framework dependency used via decorators/config, not direct import. ai

Versions (showing 3 of 3)

Version Deps Published
5.24.0 40 / 25
5.23.0 41 / 26
5.22.0 41 / 26

v5.24.0

3 findings
HIGH New file with network + code execution: public/chunk-6RX3XE55.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: public/chunk-GAHGBZ7U.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.23.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.22.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.