@hyperframes/studio
Browser-based composition editor UI for Hyperframes. Provides a visual timeline, code editor, and live preview for building video compositions.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/assets/index-D1iVE2NO.js | AI (source-diff): Standard Vite minified output with recognizable React license headers; expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BWFaypdT.js | AI (source-diff): Standard Vite-minified bundle with MPL-licensed mediabunny code visible. Expected artifact for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BA979yF1.js | AI (source-diff): Standard Vite-minified bundle; React/library code visible in sample. Expected artifact for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Di-KR9Jt.js | AI (source-diff): Standard Vite minified bundle with React license headers; normal build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D624_ioT.js | AI (source-diff): Standard Vite minified SPA bundle with React license headers; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BOdaPmiv.js | AI (source-diff): Standard Vite minified bundle with React license headers; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BA19FAPN.js | AI (source-diff): Standard Vite-minified React bundle; React license headers visible in sample. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DYqqzECY.js | AI (source-diff): Standard Vite/rollup minified bundle with React license headers; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-T-ME1rqL.js | AI (source-diff): Standard Vite/rollup minified bundle output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-PGTbQJF5.js | AI (source-diff): Standard Vite minified bundle with React JSX runtime and license headers; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D790O3az.js | AI (source-diff): Standard Vite minified bundle containing React and app code; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B9_ctmee.js | AI (source-diff): Standard Vite minified bundle containing React runtime; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DG5-N9Mj.js | AI (source-diff): Standard Vite bundle containing React and other deps; React license headers visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-5_KsQTAa.js | AI (source-diff): Standard Vite minified bundle with React JSX runtime and license headers; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-BOs_kypk.js | AI (source-diff): Standard Vite minified build output for a player component; CSS and iframe logic visible in sample, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CXGVO3lH.js | AI (source-diff): Standard Vite bundle containing React production min and modulepreload polyfill; normal build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BpS6tww3.js | AI (source-diff): Standard Vite minified bundle with React license headers; normal build artifact for this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): CI/CD monorepo with 219 versions in 82 days; rapid publish is expected automated release pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CKJCBFsG.js | AI (source-diff): Standard Vite/React production bundle; React JSX runtime visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-FFuagZGD.js | AI (source-diff): Standard Vite/React minified bundle; React license headers visible in sample. Expected build output for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Bj3m6A02.js | AI (source-diff): Standard Vite bundle with React production min and license headers; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-2SbRRd33.js | AI (source-diff): Standard Vite minified bundle with React JSX runtime; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-0esDKGRk.js | AI (source-diff): Standard Vite minified bundle; readable logic and license headers confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Bvy50smZ.js | AI (source-diff): Standard Vite minified bundle including React; licensed code with clear attribution. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dcn0cnE7.js | AI (source-diff): Standard Vite bundle with React production build; license headers and recognizable library code confirm legitimate minification. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DqUpjQUw.js | AI (source-diff): Standard Vite minified bundle with React runtime; modulepreload polyfill and JSX runtime are clearly benign. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DfhSlTti.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for this UI component library. | ai | |
| source-diff | obfuscated-file:dist/assets/index-aCeL3Cf-.js | AI (source-diff): Minified React production bundle with Facebook license header; normal build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B2QGnquo.js | AI (source-diff): Standard Vite minified bundle (React, licensed deps); readable source, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D8oim9P5.js | AI (source-diff): Standard Vite minified bundle with React license headers; consistent with normal build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C-pv1DOD.js | AI (source-diff): Standard Vite/React production bundle; sample shows React JSX runtime and licensed library code. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CMBmEncK.js | AI (source-diff): Standard Vite minified bundle; sample shows React production build with license headers. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BP8No8kB.js | AI (source-diff): Standard Vite-bundled React output with @license headers; minification is expected for this UI library. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D1edGAWj.js | AI (source-diff): Standard Vite/React production bundle; React JSX runtime visible in sample confirms legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DZE2PbOv.js | AI (source-diff): Standard Vite/React minified bundle output; React license headers visible in sample confirm legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DpbZouXZ.js | AI (source-diff): Standard Vite minified bundle; React JSX runtime visible in sample. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-ClOiW0pu.js | AI (source-diff): Standard Vite minified build output with React license headers; not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dcw3BoVw.js | AI (source-diff): Standard Vite minified bundle; React license header visible in sample. Expected for this UI package. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-DjsVzYFP.js | AI (source-diff): Standard Vite minified bundle with CSS-in-JS; consistent with hyperframes-player build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-JZr8f8y8.js | AI (source-diff): Standard Vite bundle with React production build; license headers visible, normal minification pattern. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BSe0Kibk.js | AI (source-diff): Standard Vite/React production bundle with @license headers; minified not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BA9LlfxA.js | AI (source-diff): Standard Vite minified bundle; React license headers visible in sample. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B0VCLOXQ.js | AI (source-diff): Standard Vite/React production bundle; minified output is expected for this UI component library. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B1XH-ptc.js | AI (source-diff): Standard Vite minified bundle with React license headers; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CZNoIjSE.js | AI (source-diff): Standard Vite/React minified bundle; React JSX runtime license header visible. Stable false positive. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-ItPxPpgM.js | AI (source-diff): Standard Vite minified bundle with readable CSS/HTML structure; consistent with normal build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BkBbJZGa.js | AI (source-diff): Standard Vite minified bundle; React license headers visible in sample confirm legitimate build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dc2HfqON.js | AI (source-diff): Standard Vite minified bundle with React license headers; expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C-kAqQVb.js | AI (source-diff): Standard Vite/React minified bundle output; React license headers visible in sample confirm legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-H0HcrQX6.js | AI (source-diff): Standard Vite minified bundle with React license headers; consistent with normal build output. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-WXAuftNy.js | AI (source-diff): Standard Vite minified bundle; readable logic visible in sample, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/index-yjhGJAes.js | AI (source-diff): Standard Vite minified bundle with React license headers; normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CveQve6o.js | AI (source-diff): Standard Vite minified bundle with React JSX runtime and license headers. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Bs6NmE0o.js | AI (source-diff): Standard Vite-bundled React app output; sample shows React JSX runtime and modulepreload polyfill. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D6EwK2hA.js | AI (source-diff): Standard Vite/React minified bundle; React JSX runtime visible in sample confirms legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-RzXlAX2g.js | AI (source-diff): Standard Vite minified bundle containing React production build; recognizable React internals in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DxwbBcYY.js | AI (source-diff): Standard Vite/React minified build output; readable license headers and library code confirm no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-4xujzzbu.js | AI (source-diff): Standard Vite/rollup minified bundle with React runtime; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/index-960mgQMI.js | AI (source-diff): Standard Vite minified bundle; React license header visible in sample. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-CEnWY28J.js | AI (source-diff): Standard Vite minified output with readable CSS and JS patterns. Not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-gfyAaaaA.js | AI (source-diff): Standard Vite minified bundle with visible React license headers; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DUqUmaoH.js | AI (source-diff): Standard Vite/React production bundle; minified but not obfuscated — React license headers visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-DOFETgjy.js | AI (source-diff): Standard Vite build output with readable CSS and JS patterns; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DKII_C6N.js | AI (source-diff): Standard Vite bundle with React production build; Facebook license header visible in sample, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-DvTKPzaI.js | AI (source-diff): Standard Vite/rollup minified output for a web component player; samples show CSS and normal JS patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-BP6jGdt0.js | AI (source-diff): Standard Vite minified bundle of the hyperframes player; readable source logic visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-B4Cr7MVx.js | AI (source-diff): Standard Vite minified bundle including React runtime; MPL/MIT license headers visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Yvtxngdi.js | AI (source-diff): Standard Vite bundle with React license headers; minification is expected for this build tool package. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-DOZ3POPj.js | AI (source-diff): Standard Vite minified bundle of @hyperframes/player; content matches declared dep, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BdDNthf4.js | AI (source-diff): Vite bundle containing React runtime (Meta license header visible); normal build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CqiisJmo.js | AI (source-diff): Standard Vite minified build output with visible React license header; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-CoI5h1xv.js | AI (source-diff): Standard Vite minified build output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D4-n3yWG.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for this UI component package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BV9ymBm4.js | AI (source-diff): Standard Vite/React production bundle; React license header and recognizable React internals visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CGWN-iUB.js | AI (source-diff): Standard Vite minified bundle; sample shows React/JSX runtime and modulepreload polyfill. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-D0Yi3xMP.js | AI (source-diff): Standard Vite minified bundle; sample shows legitimate iframe/playback adapter code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-18P_dZeo.js | AI (source-diff): Standard Vite/React production bundle; minified output is expected for this UI component package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DpPtpTye.js | AI (source-diff): Standard Vite bundle with React production build; React license header visible, consistent with normal build output. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-Cd8vYWxP.js | AI (source-diff): Standard Vite minified build output; CSS and component code visible in sample, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-fBd_vNld.js | AI (source-diff): Standard Vite minified bundle output; React/player code clearly visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DsFKgqkT.js | AI (source-diff): Standard Vite minified bundle with React license headers; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D2Zs8pHU.js | AI (source-diff): Standard Vite bundle with React production build; sample shows normal module preload polyfill and React internals. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Do0kAMcy.js | AI (source-diff): Standard Vite minified bundle output; React JSX runtime visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DYjmgXgg.js | AI (source-diff): Standard Vite/React minified bundle output; React license header visible in sample. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DmiO2Ufp.js | AI (source-diff): Standard Vite minified bundle (React + app code); not obfuscation. Stable pattern for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used for JS syntax validation in a code editor component; try/catch pattern confirms intent is parsing, not execution of untrusted code. | ai | |
| source-diff | obfuscated-file:dist/assets/index-C55KfVpx.js | AI (source-diff): Standard Vite/React production bundle; React JSX runtime visible in sample. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-CWb0VPYD.js | AI (source-diff): Standard Vite minified bundle of the package's own player code; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-Dzq4sUj7.js | AI (source-diff): Standard Vite/React production bundle; minification is expected for this package's dist output. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-CzwFysqv.js | AI (source-diff): Standard Vite minified bundle output; readable logic visible in sample, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/assets/index-hYc4aP7M.js | AI (source-diff): Standard Vite minified bundle with React runtime; clearly legitimate build artifact. | ai | |
| provenance | missing-githead | AI (provenance): Expected when migrating to GitHub Actions CI publish with SLSA provenance. | ai | |
| provenance | publisher-changed | AI (provenance): Changed to GitHub Actions with SLSA attestation; legitimate CI migration. | ai | |
| source-diff | obfuscated-file:dist/assets/index-BLIJTYAJ.js | AI (source-diff): Standard Vite/React production bundle output; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-C6QOH12J.js | AI (source-diff): Minified web component bundle with readable CSS; standard build output. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DSLrl2tB.js | AI (source-diff): MPL-2.0 licensed media library (mediabunny) minified bundle; expected for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CaRE7VOD.js | AI (source-diff): Standard Vite/React minified bundle output; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-CAscydDF.js | AI (source-diff): Standard Vite/React production bundle; sample shows React license header and modulepreload polyfill. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-vibA20NC.js | AI (source-diff): Standard Vite minified build output; CSS and player component code visible in sample, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/index-D0VntLIQ.js | AI (source-diff): Standard Vite/React production bundle with Facebook license header; minification is expected for this build tool. | ai | |
| source-diff | obfuscated-file:dist/assets/index-DAQNCMgC.js | AI (source-diff): Standard Vite minified build output; React license header visible in sample, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-CB8_cuLZ.js | AI (source-diff): Readable CSS and web component code in sample; minified by bundler, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/hyperframes-player-Zx0MOyMy.js | AI (source-diff): Standard Vite minified build output; readable CSS/JS structure with license headers, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/assets/index-FSgUtn41.js | AI (source-diff): Standard Vite minified bundle including React; license header and readable structure confirm legitimate build artifact. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used for dynamic method dispatch in a playback helper; no obfuscation intent. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 in a test fixture URL; not a live exfiltration endpoint. | ai | |
| phantom-deps | phantom-dep:@hyperframes/core | AI (phantom-deps): Same-org dep; phantom-dep heuristic false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:codemirror | AI (phantom-deps): codemirror is a declared runtime dep referenced in config; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:motion | AI (phantom-deps): motion is a declared runtime dep referenced in config; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 43 of 156)
| Version | Deps | Published |
|---|---|---|
| 0.4.17 | 15 / 12 | |
| 0.4.16 | 15 / 12 | |
| 0.4.15 | 15 / 12 | |
| 0.4.14 | 15 / 12 | |
| 0.4.13 | 15 / 12 | |
| 0.4.11 | 15 / 12 | |
| 0.4.10 | 15 / 12 | |
| 0.4.9 | 15 / 12 | |
| 0.4.8 | 15 / 12 | |
| 0.4.7 | 15 / 12 | |
| 0.4.6 | 15 / 12 | |
| 0.4.5 | 15 / 12 | |
| 0.4.4 | 15 / 12 | |
| 0.4.3 | 15 / 12 | |
| 0.4.2 | 15 / 12 | |
| 0.4.0 | 15 / 12 | |
| 0.3.2 | 15 / 12 | |
| 0.3.1 | 15 / 12 | |
| 0.3.0 | 15 / 12 | |
| 0.2.8 | 15 / 12 | |
| 0.2.7 | 15 / 12 | |
| 0.2.6 | 15 / 12 | |
| 0.2.5 | 15 / 12 | |
| 0.2.4 | 14 / 12 | |
| 0.2.3 | 14 / 11 | |
| 0.2.1 | 14 / 11 | |
| 0.2.0 | 14 / 11 | |
| 0.1.15 | 14 / 11 | |
| 0.1.14 | 14 / 11 | |
| 0.1.13 | 14 / 11 | |
| 0.1.12 | 14 / 11 | |
| 0.1.11 | 14 / 11 | |
| 0.1.10 | 13 / 8 | |
| 0.1.9 | 13 / 8 | |
| 0.1.8 | 13 / 8 | |
| 0.1.7 | 13 / 8 | |
| 0.1.6 | 13 / 8 | |
| 0.1.5 | 13 / 8 | |
| 0.1.4 | 13 / 8 | |
| 0.1.3 | 13 / 8 | |
| 0.1.2 | 13 / 8 | |
| 0.1.1 | 13 / 8 | |
| 0.1.0 | 13 / 8 |
v0.4.17
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.16
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.15
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.14
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.13
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.11
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.10
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.9
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.8
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.7
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.6
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.5
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.4
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.3
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.2
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.2
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.