just-bash
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/bin/chunks/flag-coverage-F4EAJUHL.js | AI (source-diff): esbuild minified chunk output; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/flag-coverage-F4EAJUHL.js | AI (source-diff): esbuild minified chunk output; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/flag-coverage-U322DJFL.js | AI (source-diff): esbuild minified chunk output; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/file-NQP3CKRV.js | AI (source-diff): esbuild --minify output; file command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/file-6PCTL3MH.js | AI (source-diff): esbuild --minify output; file command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/file-6PCTL3MH.js | AI (source-diff): esbuild --minify output; file command implementation. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/curl-XLP4VABU.js | AI (source-diff): esbuild --minify output; curl command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/curl-TH7YRBSA.js | AI (source-diff): esbuild --minify output; curl command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/curl-TH7YRBSA.js | AI (source-diff): esbuild --minify output; curl command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/awk2-GFEJOWML.js | AI (source-diff): esbuild --minify output; same build pipeline. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/awk2-GFEJOWML.js | AI (source-diff): esbuild --minify output; same build pipeline. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/awk2-6FBZTP57.js | AI (source-diff): esbuild --minify output; build scripts in package.json confirm minification pipeline. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/grep-NIC6JNLH.js | AI (source-diff): esbuild --minify output; grep command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/find-PHDZK64M.js | AI (source-diff): esbuild --minify output; find command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/find-PHDZK64M.js | AI (source-diff): esbuild --minify output; find command implementation. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/grep-VX7MJMVN.js | AI (source-diff): esbuild --minify output; grep command implementation. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/find-YGMSVGUV.js | AI (source-diff): esbuild --minify output; find command implementation. | ai | |
| provenance | no-provenance | AI (provenance): Informational; no provenance is common and not a security risk on its own. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/python3-V2HDKCNM.js | AI (source-diff): esbuild minified bundle output; readable python3 command logic | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/flag-coverage-IK7WVGOO.js | AI (source-diff): esbuild minified bundle output; consistent with build scripts | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/python3-DNGS4G3E.js | AI (source-diff): esbuild minified bundle output; readable python3 command logic | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/flag-coverage-QFOIESUP.js | AI (source-diff): esbuild minified bundle output; consistent with build scripts | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/flag-coverage-IK7WVGOO.js | AI (source-diff): esbuild minified bundle output; consistent with build scripts | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/python3-TG6BXZCZ.js | AI (source-diff): esbuild minified bundle output; readable python3 command logic | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/python3-YJ7YGEW7.js | AI (source-diff): Minified esbuild output for Python3 worker thread IPC bridge; content is readable and consistent with legitimate shell emulator functionality. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/python3-YJ7YGEW7.js | AI (source-diff): Minified esbuild output for Python3 worker thread IPC bridge; content is readable and consistent with legitimate shell emulator functionality. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/python3-6Y4Z63NZ.js | AI (source-diff): Minified esbuild output for Python3 worker thread IPC bridge; SharedArrayBuffer/Atomics usage is consistent with the package's CPython-Emscripten integration. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/awk2-A73ZNFXJ.js | AI (source-diff): Standard esbuild minified output per documented build scripts; chunk naming matches [name]-[hash] pattern. Not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): just-bash is a bash emulator that bundles many command implementations; large file counts are expected as new commands (awk, curl, etc.) are added. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/curl-C43O5WQS.js | AI (source-diff): Standard esbuild minified output per documented build scripts; chunk naming matches [name]-[hash] pattern. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/curl-BN5M3BUX.js | AI (source-diff): Standard esbuild minified output per documented build scripts; chunk naming matches [name]-[hash] pattern. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/curl-BN5M3BUX.js | AI (source-diff): Standard esbuild minified output per documented build scripts; chunk naming matches [name]-[hash] pattern. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/awk2-QWBT4IFJ.js | AI (source-diff): Standard esbuild minified output per documented build scripts; chunk naming matches [name]-[hash] pattern. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/awk2-A73ZNFXJ.js | AI (source-diff): Standard esbuild minified output per documented build scripts; chunk naming matches [name]-[hash] pattern. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/flag-coverage-CFWN3JJN.js | AI (source-diff): Minified esbuild output for coverage-instrumented shell build variant; consistent with documented build scripts. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/flag-coverage-CFWN3JJN.js | AI (source-diff): Minified esbuild output for coverage-instrumented build variant; consistent with documented build scripts using --minify and --splitting. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/flag-coverage-VML3BMJT.js | AI (source-diff): Minified esbuild bundle output for coverage variant; consistent with documented build scripts. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/python3-2OHR6PZU.js | AI (source-diff): Minified esbuild output for Python3 command implementation using worker threads; legitimate functionality for a bash emulator package. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/python3-E5X6WBBU.js | AI (source-diff): Minified esbuild output for Python3 shell command; legitimate functionality consistent with documented build process. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/flag-coverage-YHMPSZHK.js | AI (source-diff): esbuild minified chunk output with content-addressed hash naming; standard build artifact for this package's explicit esbuild --minify --splitting pipeline. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/flag-coverage-23SVOOPG.js | AI (source-diff): esbuild minified chunk output with content-addressed hash naming; standard build artifact for this package's explicit esbuild --minify --splitting pipeline. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/flag-coverage-23SVOOPG.js | AI (source-diff): esbuild minified chunk output with content-addressed hash naming; standard build artifact for this package's explicit esbuild --minify --splitting pipeline. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from cramforce (Malte Ubl, Vercel) to GitHub Actions CI/CD publishing for vercel-labs/just-bash is a legitimate automation change, backed by SLSA provenance attestation. | ai | |
| provenance | missing-githead | AI (provenance): GitHub Actions CI publishing environment may not embed gitHead; SLSA provenance attestation provides equivalent supply chain integrity. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/awk2-OKD2P6CM.js | AI (source-diff): Standard esbuild --minify output for AWK interpreter; build scripts confirm minification. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/awk2-YNEKUV4T.js | AI (source-diff): Same esbuild minified AWK interpreter bundle; package.json build scripts confirm --minify flag. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/awk2-OKD2P6CM.js | AI (source-diff): Duplicate of bin/chunks variant; same esbuild minified output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/flag-coverage-KCADAH3N.js | AI (source-diff): esbuild minified chunk output from build:lib script using --splitting --chunk-names=chunks/[name]-[hash]. Standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/flag-coverage-CVSXSL4T.js | AI (source-diff): esbuild minified chunk output from build:shell script using --splitting --chunk-names=chunks/[name]-[hash]. Standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/flag-coverage-CVSXSL4T.js | AI (source-diff): esbuild minified chunk output with hash-suffixed name, consistent with build:cli script using --splitting --chunk-names=chunks/[name]-[hash]. Standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/awk2-46RTIZKB.js | AI (source-diff): just-bash ships esbuild-minified output by design; all flagged files are standard --minify build artifacts, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/bundle/browser.js | AI (source-diff): A bash emulator for browsers legitimately contains fetch calls (network) and shell command execution patterns; not dropper/loader behavior. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/awk2-D2US2LMM.js | AI (source-diff): esbuild --minify output for shell bundle; same content as CLI chunk, standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/awk2-D2US2LMM.js | AI (source-diff): esbuild --minify output for CLI bundle; code samples show AWK interpreter logic, not malware. | ai | |
| source-diff | obfuscated-file:dist/bundle/browser.js | AI (source-diff): Browser bundle built with esbuild --minify --platform=browser; 548KB is expected for a full bash emulator bundled for browsers. | ai | |
| source-diff | obfuscated-file:dist/bin/chunks/flag-coverage-WM63KT7D.js | AI (source-diff): esbuild minified chunk output; import-only content with no malicious patterns. Standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/bundle/chunks/flag-coverage-H2IQM6DS.js | AI (source-diff): esbuild minified chunk output; import-only content with no malicious patterns. Standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/bin/shell/chunks/flag-coverage-WM63KT7D.js | AI (source-diff): esbuild minified chunk output; import-only content with no malicious patterns. Standard build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/bundle/index.cjs | AI (source-diff): Network+exec pattern is WASM loader fetching .wasm binary and executing it — standard Emscripten/WASM runtime behavior, not dropper malware. | ai | |
| source-diff | obfuscated-file:vendor/cpython-emscripten/python.cjs | AI (source-diff): Standard Emscripten-generated loader for CPython WASM runtime. Long lines are expected in Emscripten output. | ai | |
| source-diff | obfuscated-file:dist/bundle/index.cjs | AI (source-diff): Standard esbuild minified CJS bundle output; build script explicitly uses --format=cjs --minify. Not obfuscation. | ai | |
| phantom-deps | phantom-dep:ini | AI (phantom-deps): Declared as runtime dep but externalized in esbuild build scripts; phantom-dep fires due to bundling architecture, not a real missing import. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Declared runtime dep externalized in esbuild build; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:diff | AI (phantom-deps): Explicitly marked --external:diff in esbuild build scripts; phantom-dep is a false positive from the bundling architecture. | ai | |
| phantom-deps | phantom-dep:fast-xml-parser | AI (phantom-deps): Declared runtime dep externalized in esbuild build; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:sprintf-js | AI (phantom-deps): Explicitly marked --external:sprintf-js in esbuild build scripts; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:compressjs | AI (phantom-deps): Explicitly marked --external:compressjs in esbuild build scripts; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:smol-toml | AI (phantom-deps): Declared runtime dep externalized in esbuild build; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:papaparse | AI (phantom-deps): Declared runtime dep externalized in esbuild build; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): Explicitly marked --external:minimatch in esbuild build scripts; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:file-type | AI (phantom-deps): Declared runtime dep externalized in esbuild build; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:turndown | AI (phantom-deps): Explicitly marked --external:turndown in esbuild build scripts; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:sql.js | AI (phantom-deps): Explicitly marked --external:sql.js in esbuild build scripts; phantom-dep is a false positive from bundling architecture. | ai | |
| phantom-deps | phantom-dep:re2js | AI (phantom-deps): Declared runtime dep externalized in esbuild build; phantom-dep is a false positive from bundling architecture. | ai |
Versions (showing 51 of 82)
| Version | Deps | Published |
|---|---|---|
| 3.0.1 | 15 / 12 | |
| 3.0.0 | 15 / 12 | |
| 2.14.5 | 15 / 12 | |
| 2.14.4 | 15 / 12 | |
| 2.14.3 | 15 / 12 | |
| 2.14.1 | 15 / 13 | |
| 2.14.0 | 15 / 13 | |
| 2.13.1 | 15 / 13 | |
| 2.13.0 | 15 / 13 | |
| 2.12.8 | 14 / 13 | |
| 2.12.7 | 14 / 13 | |
| 2.12.6 | 14 / 13 | |
| 2.12.5 | 14 / 13 | |
| 2.12.4 | 14 / 13 | |
| 2.12.3 | 14 / 13 | |
| 2.12.2 | 14 / 13 | |
| 2.12.1 | 14 / 13 | |
| 2.12.0 | 14 / 13 | |
| 2.11.15 | 14 / 13 | |
| 2.11.14 | 14 / 13 | |
| 2.11.13 | 14 / 13 | |
| 2.11.12 | 14 / 13 | |
| 2.11.11 | 14 / 13 | |
| 2.11.10 | 14 / 13 | |
| 2.11.9 | 15 / 13 | |
| 2.11.8 | 15 / 13 | |
| 2.11.7 | 15 / 13 | |
| 2.11.5 | 15 / 13 | |
| 2.11.4 | 15 / 13 | |
| 2.11.3 | 15 / 13 | |
| 2.11.2 | 15 / 13 | |
| 2.11.1 | 15 / 13 | |
| 2.11.0 | 15 / 13 | |
| 2.10.6 | 15 / 13 | |
| 2.10.5 | 15 / 13 | |
| 2.10.4 | 15 / 13 | |
| 2.10.3 | 15 / 13 | |
| 2.10.2 | 15 / 13 | |
| 2.10.1 | 15 / 13 | |
| 2.10.0 | 15 / 13 | |
| 2.9.8 | 15 / 13 | |
| 2.9.7 | 15 / 13 | |
| 2.9.6 | 15 / 13 | |
| 2.9.5 | 15 / 13 | |
| 2.9.4 | 15 / 13 | |
| 2.9.3 | 15 / 13 | |
| 2.9.2 | 15 / 13 | |
| 2.9.1 | 15 / 12 | |
| 2.9.0 | 15 / 12 | |
| 2.8.1 | 15 / 12 | |
| 2.7.0 | 15 / 12 |
v3.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.14.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.14.4
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.14.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.14.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cramforce.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cramforce.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cramforce.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.8
7 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cramforce.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cramforce.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.13
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.12
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.11
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.10
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.9
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.8
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.11.5
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.6
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.5
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.4
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.4
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.3
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.2
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
15 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.