@feedmepos/mf-report
v5 portal report UI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/app-CBHDMsDR.js | AI (source-diff): Standard Vite/Rollup minified bundle for a Vue 3 micro-frontend; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/processTableData.worker-Be0ZD94L.js | AI (source-diff): Minified Web Worker bundle from Vite build; normal for this package. | ai | |
| source-diff | net-exec-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-DDbNobqI.js | AI (source-diff): Network calls are vue-router navigation; dynamic execution is Vue's renderSlot/resolveDynamicComponent — standard framework patterns. | ai | |
| source-diff | obfuscated-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-DDbNobqI.js | AI (source-diff): Minified Vue SFC chunk from Vite build; normal for this package. | ai | |
| source-diff | obfuscated-file:dist/Integrations-BUojqghs.js | AI (source-diff): Minified Vue chunk from Vite build; normal for this package. | ai | |
| source-diff | obfuscated-file:dist/GlobalFilterSelect.vue_vue_type_script_setup_true_lang-BDXjO_Sp.js | AI (source-diff): Minified Vue SFC chunk from Vite build; normal for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/formatChartData.worker-DaLXwMTs.js | AI (source-diff): Minified Web Worker bundle from Vite build; normal for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/formatChartData.worker-CM1Z4AJT.js | AI (source-diff): Minified web worker bundle; Dart/rollup commonjs shim pattern, no exfiltration. | ai | |
| source-diff | obfuscated-file:dist/assets/processTableData.worker-DlxE2vZ8.js | AI (source-diff): Minified web worker bundle; same Dart/rollup shim as formatChartData worker. | ai | |
| source-diff | net-exec-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-DE2dxChA.js | AI (source-diff): SPA routing + lazy-loading pattern; no dropper/loader behavior in sample. | ai | |
| source-diff | obfuscated-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-DE2dxChA.js | AI (source-diff): Minified Vue SFC chunk; net-exec false positive from standard fetch+dynamic import in SPA. | ai | |
| source-diff | obfuscated-file:dist/Integrations-C6qtgYcR.js | AI (source-diff): Minified Vue SFC chunk; no suspicious network or exec patterns. | ai | |
| source-diff | obfuscated-file:dist/GlobalFilterSelect.vue_vue_type_script_setup_true_lang-CvDkDKbD.js | AI (source-diff): Minified Vue SFC chunk; imports only from known @feedmepos/* and pinia. | ai | |
| source-diff | obfuscated-file:dist/app-DVjmSBbE.js | AI (source-diff): Standard Vite/Rollup minified bundle for a Vue 3 micro-frontend; no malicious payload. | ai | |
| source-diff | obfuscated-file:dist/app-DMXIz8ol.js | AI (source-diff): Standard Vite bundle output for this Vue micro-frontend; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/processTableData.worker-CQMw9rvu.js | AI (source-diff): Minified web worker bundle for table data processing; consistent with package purpose. | ai | |
| source-diff | net-exec-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-Ck7HaJRh.js | AI (source-diff): Network calls and dynamic imports are normal Vue router/component patterns in this micro-frontend. | ai | |
| source-diff | obfuscated-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-Ck7HaJRh.js | AI (source-diff): Standard Vite-compiled Vue SFC chunk; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Integrations-CpMUHiCw.js | AI (source-diff): Standard Vite bundle chunk; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/GlobalFilterSelect.vue_vue_type_script_setup_true_lang-ZAOWE1vp.js | AI (source-diff): Standard Vite-compiled Vue SFC chunk; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/formatChartData.worker-BlVUDagT.js | AI (source-diff): Minified web worker bundle; consistent with chart data processing in this package. | ai | |
| npm-metadata | url-dep:extra-packages | AI (npm-metadata): Local file dep is in devDependencies only; does not affect published package consumers. | ai | |
| dependencies | unvetted-dep:@feedmepos/feature-flag | AI (dependencies): Same org scope (@feedmepos); internal dependency stable across versions. | ai | |
| dependencies | unvetted-dep:@feedmepos/custom-attributes | AI (dependencies): Same org scope (@feedmepos); internal dependency stable across versions. | ai | |
| npm-metadata | url-dep:report-v4-dart | AI (npm-metadata): File-local devDependency used only during build; not shipped in published dist. | ai | |
| npm-metadata | url-dep:query-engine-dart | AI (npm-metadata): File-local devDependency used only during build; not shipped in published dist. | ai | |
| source-diff | obfuscated-file:dist/app-VSV4uxyh.js | AI (source-diff): Standard Vite minified bundle for this Vue micro-frontend; pattern is stable across versions. | ai | |
| source-diff | obfuscated-file:dist/assets/formatChartData.worker-CVp--g2e.js | AI (source-diff): Minified web worker bundle; Dart/JS interop boilerplate, no exfiltration. | ai | |
| source-diff | net-exec-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-CoaKAOy7.js | AI (source-diff): Network calls and dynamic component resolution are standard Vue router/async-component patterns in this micro-frontend. | ai | |
| source-diff | obfuscated-file:dist/NavigationTab.vue_vue_type_script_setup_true_lang-CoaKAOy7.js | AI (source-diff): Minified Vue component chunk; imports only from same-package and @feedmepos/* deps. | ai | |
| source-diff | obfuscated-file:dist/Integrations-T5mzrxXG.js | AI (source-diff): Minified Vue route chunk from Vite build; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/processTableData.worker-CklDKC06.js | AI (source-diff): Minified web worker for table data processing; same Dart/JS boilerplate as formatChartData worker. | ai | |
| source-diff | obfuscated-file:dist/BaseDialog.vue_vue_type_script_setup_true_lang-Be3F_dkn.js | AI (source-diff): Minified Vue component chunk from Vite build; no malicious patterns. | ai | |
| phantom-deps | phantom-dep:vue-i18n | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:chart.js | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:consola | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:@feedmepos/feature-flag | AI (phantom-deps): Same-org dep; bundled micro-frontend pattern. | ai | |
| phantom-deps | phantom-dep:xlsx | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:@feedmepos/custom-attributes | AI (phantom-deps): Same-org dep; bundled micro-frontend pattern. | ai | |
| phantom-deps | phantom-dep:@feedmepos/hrm-permission | AI (phantom-deps): Same-org dep; bundled micro-frontend pattern. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:@casl/ability | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:vuedraggable | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:consola-loki | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai | |
| phantom-deps | phantom-dep:change-case | AI (phantom-deps): Bundled micro-frontend; deps declared for peer resolution, not direct import. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 5.27.3 | 20 / 20 | |
| 5.25.8 | 20 / 20 | |
| 5.24.3 | 20 / 20 | |
| 5.23.1 | 20 / 20 | |
| 5.22.31 | 20 / 20 | |
| 5.22.29 | 20 / 20 | |
| 5.22.26 | 20 / 20 | |
| 5.22.25 | 20 / 20 | |
| 5.22.23 | 20 / 20 | |
| 5.22.21 | 20 / 20 | |
| 5.22.20 | 20 / 20 | |
| 5.22.15 | 20 / 20 | |
| 5.22.12 | 20 / 20 | |
| 5.22.7 | 18 / 20 | |
| 5.22.3 | 18 / 20 | |
| 5.22.1 | 18 / 20 | |
| 5.16.2 | 18 / 21 | |
| 5.15.1 | 18 / 21 | |
| 5.14.1 | 18 / 21 | |
| 5.11.2 | 18 / 21 | |
| 5.11.1 | 18 / 21 | |
| 5.10.9 | 18 / 21 | |
| 5.10.7 | 18 / 21 | |
| 5.10.2 | 18 / 21 | |
| 5.9.3 | 18 / 21 | |
| 5.9.2 | 18 / 21 | |
| 5.8.0 | 18 / 21 | |
| 5.7.6 | 18 / 21 | |
| 5.7.3 | 18 / 21 | |
| 5.7.2 | 18 / 21 | |
| 5.5.19 | 18 / 21 | |
| 5.5.13 | 18 / 21 |
v5.27.3
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.25.8
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.24.3
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.1
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.22.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.16.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.14.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.10.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.10.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.9.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.9.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.7.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.7.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.5.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.5.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.