← Home

likec4

npm Repository Homepage

Toolchain for your architecture diagrams

5
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

davydkov

Keywords

likec4architecturediagramsgraph

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:__app__/chunks/libs/@tanstack/ai-client.mjs AI (source-diff): Standard rolldown/vite bundle output for likec4; minified library code, no malicious patterns. ai
source-diff obfuscated-file:__app__/chunks/libs/@tanstack/ai.mjs AI (source-diff): Standard rolldown/vite bundle output; legitimate TanStack AI library code. ai
source-diff obfuscated-file:__app__/chunks/AIChat2.mjs AI (source-diff): Standard rolldown/vite bundle output; React component code for AI chat UI. ai
source-diff obfuscated-file:dist/chunks/libs/@ts-graphviz/ast.mjs AI (source-diff): Standard rolldown/vite bundle output; graphviz AST library code. ai
source-diff obfuscated-file:dist/chunks/libs/@ts-graphviz/core.mjs AI (source-diff): Standard rolldown/vite bundle output; graphviz core library code. ai
source-diff obfuscated-file:__app__/chunks/css.mjs AI (source-diff): Standard rolldown/vite bundle output; CSS utility functions. ai
source-diff obfuscated-file:dist/chunks/enableServer.mjs AI (source-diff): Standard rolldown/vite bundle output; Hono MCP server code. ai
source-diff obfuscated-file:__app__/chunks/ExportPage.mjs AI (source-diff): Standard rolldown/vite bundle output; export page React component. ai
source-diff obfuscated-file:__app__/chunks/factory.mjs AI (source-diff): Standard rolldown/vite bundle output for likec4. ai
source-diff obfuscated-file:__app__/chunks/libs/superjson.mjs AI (source-diff): Standard rolldown/vite bundle output; superjson library. ai
source-diff large-new-source-files AI (source-diff): likec4 ships bundled app chunks; new files reflect feature additions (AI chat), not injected code. ai
phantom-deps phantom-dep:use-sync-external-store AI (phantom-deps): Common React ecosystem peer dep; phantom detection is a false positive for this package. ai
phantom-deps phantom-dep:@hpcc-js/wasm-graphviz AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
semgrep semgrep:new-function-constructor AI (semgrep): Used as a capability probe (new Function("")) to detect sandboxed environments, not executing user input. ai
phantom-deps phantom-dep:vite-plugin-singlefile AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:react-compiler-runtime AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:esbuild AI (phantom-deps): esbuild is a known implicit runtime/binary dependency for build tools; stable pattern for this package. ai
phantom-deps phantom-dep:fdir AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:immer AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:yargs AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:std-env AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:chokidar AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:nano-spawn AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:playwright AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:@likec4/icons AI (phantom-deps): Internal monorepo package; config-referenced, stable false positive. ai
phantom-deps phantom-dep:bundle-require AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai
phantom-deps phantom-dep:@vitejs/plugin-react AI (phantom-deps): Config-referenced dep in a complex build tool; stable false positive for this package. ai

Versions (showing 5 of 5)

Version Deps Published
1.57.0 18 / 74
1.56.0 17 / 89
1.55.1 15 / 88
1.55.0 15 / 88
1.54.0 15 / 87

v1.57.0

11 findings
HIGH New obfuscated file: __app__/chunks/libs/@tanstack/ai-client.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: __app__/chunks/libs/@tanstack/ai.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: __app__/chunks/AIChat2.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/libs/@ts-graphviz/ast.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/libs/@ts-graphviz/core.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: __app__/chunks/css.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/enableServer.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: __app__/chunks/ExportPage.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: __app__/chunks/factory.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: __app__/chunks/libs/superjson.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.56.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.55.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.55.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.54.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.