@knime/jsonforms
Internal JSON Forms integration for frontend KNIME projects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_a203e154_lang-BZ2fsJ3d.js | AI (source-diff): Network/exec pattern is a false positive in bundled Vue component code from a known KNIME package. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-ChVZO70R.js | AI (source-diff): Standard Vite build output for Vue components; minified but not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_a203e154_lang-BZ2fsJ3d.js | AI (source-diff): Standard Vite build output; samples show normal Vue/ESM imports and lodash patterns. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-oSScT2Z1.js | AI (source-diff): Minified Vite bundle; Vue imports and date-fns utilities, no actual network/exec payload. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-D4jxAp8C.js | AI (source-diff): Minified Vite bundle; Vue component code with lodash, no actual network/exec payload. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-CvB3Xx6t.js | AI (source-diff): Standard Vite minified output for a Vue UI component; long lines are bundled imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-D4jxAp8C.js | AI (source-diff): Standard Vite minified output for a Vue component; long lines are bundled imports, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-58jgxWu9.js | AI (source-diff): Vite-bundled Vue component chunk; long lines are minified imports, not malicious network+exec patterns. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-Df4k74nF.js | AI (source-diff): Standard Vite minified output for a Vue rich-text component; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-58jgxWu9.js | AI (source-diff): Standard Vite minified output; long lines are bundled lodash/Vue imports, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CuTc1DHe.js | AI (source-diff): Vite-bundled Vue/date-fns ESM chunk; no actual network fetch or dynamic eval in the sample. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DiQR7rXG.js | AI (source-diff): Minified Vite build output; same false-positive pattern as RichTextControl. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-DBMwKtLh.js | AI (source-diff): Standard Vite-bundled Vue component; 'network+exec' pattern is Vue reactivity APIs in minified output, not malware. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DiQR7rXG.js | AI (source-diff): Standard Vite-bundled Vue component; same false-positive pattern as localTimeUtils. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-D9QD2_uO.js | AI (source-diff): Minified Vite build output; long lines are expected for bundled Vue components, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-DXn8oGe5.js | AI (source-diff): Standard Vite-bundled Vue/date-fns output; no actual network calls or dynamic eval in samples. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-CEtlgh5F.js | AI (source-diff): Minified Vite bundle; long lines are standard bundler output for this package. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-CEtlgh5F.js | AI (source-diff): Standard Vite-bundled Vue component output; minified lines trigger rule but no malicious patterns present. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DxbPKu-F.js | AI (source-diff): Minified Vite bundle of Vue components; long lines are normal bundler output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/DateTimeInput-D4H9LmQx.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network+exec payload, just bundled imports. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-BLz_U7Ly.js | AI (source-diff): Minified Vite build output; long lines are normal for bundled Vue components. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-DUrp-3o2.js | AI (source-diff): Standard Vite chunk with lodash/Vue internals; no malicious network or exec pattern. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-DUrp-3o2.js | AI (source-diff): Minified Vite build output; long lines are normal for bundled Vue components. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-_VwaFWB3.js | AI (source-diff): Minified Vite bundle of Vue component; false positive on bundled code patterns. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-_VwaFWB3.js | AI (source-diff): Standard Vite minified output; long lines are bundled Vue+lodash code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-D9REFhLS.js | AI (source-diff): Standard Vite minified output for a Vue rich-text component; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-3uql0tij.js | AI (source-diff): Minified Vite bundle of Vue date/time utilities; no actual malicious network+exec pattern. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-D8YXvgUG.js | AI (source-diff): Sample is standard Vue/date-fns bundle output; no real network calls or dynamic exec present. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-B0NArLJ2.js | AI (source-diff): Vite-bundled ESM chunk with Vue/date-fns imports; no real network calls or dynamic exec — stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CdJwDe5o.js | AI (source-diff): Standard Vite-bundled Vue component; network/exec pattern is browser UI APIs, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DMw9mAY-.js | AI (source-diff): Minified Vite build output; long lines are expected for bundled Vue component libraries. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DEapPFRg.js | AI (source-diff): Minified Vite build output; long lines are expected for bundled Vue component libraries. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DMw9mAY-.js | AI (source-diff): Standard Vite-bundled Vue component; network/exec pattern is browser UI APIs, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-CnDElBeU.js | AI (source-diff): Vite-generated scoped style chunk; sample shows lodash/Vue utilities, no malicious content. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BzdzJZor.js | AI (source-diff): date-fns/Vue bundle; 'network' and 'exec' signals are false positives from dynamic imports and typeof checks. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-CnDElBeU.js | AI (source-diff): Same Vite chunk as obfuscated-file finding; no actual network or exec payload. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-B9I33cIU.js | AI (source-diff): Vite build artifact for rich-text editor component; no malicious patterns in sample. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-Bs29kRa4.js | AI (source-diff): Minified Vite bundle with Vue imports; no actual network fetch or eval — analyzer false positive on bundled code. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-LoFBv9wb.js | AI (source-diff): Standard Vite minified output for a UI component; long lines are expected in bundled dist files. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-Bs29kRa4.js | AI (source-diff): Standard Vite minified output for a UI component; long lines are expected in bundled dist files. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BHjaCQGk.js | AI (source-diff): Minified Vite bundle with Vue imports; no actual network fetch or eval — analyzer false positive on bundled code. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-QqVBwk2Y.js | AI (source-diff): Standard Vite-bundled Vue component; no actual dropper/loader pattern present. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-qxb7TlZF.js | AI (source-diff): Minified Vite build output for a rich-text Vue component; long lines are expected bundle format. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-QqVBwk2Y.js | AI (source-diff): Minified Vite build output; long lines are expected bundle format for this package. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-B4sXG50p.js | AI (source-diff): Standard Vite-bundled Vue component; imports are from vue/lodash/date-fns, no actual network+exec payload. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DP_G9eeL.js | AI (source-diff): Minified Vite bundle with readable Vue component structure; long lines are expected for bundled output. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BDEWXlve.js | AI (source-diff): Minified Vite bundle; code structure matches legitimate Vue component library, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BDEWXlve.js | AI (source-diff): Same Vite bundle pattern; code is clearly Vue component library output, not malware. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BKrpWptT.js | AI (source-diff): Vite-bundled Vue component output; network/exec pattern is Vue reactivity + standard JS, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-Dyq6GaKc.js | AI (source-diff): Standard Vite minified ESM bundle; no obfuscation, just minified Vue component code. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-Dlr5vvag.js | AI (source-diff): Same Vite bundle pattern; false positive from bundled utility code. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CWoV802y.js | AI (source-diff): Vite bundle with date-fns and Vue imports; no actual network calls or dynamic code execution. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-Dlr5vvag.js | AI (source-diff): Standard Vite minified ESM bundle; long lines from bundled lodash/date-fns utilities. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-kheYEifs.js | AI (source-diff): Standard Vite minified ESM bundle for a rich text control component. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-CrCHZCp7.js | AI (source-diff): Standard Vite-bundled ESM output; Vue component bundle misidentified as network+exec pattern. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-CrCHZCp7.js | AI (source-diff): Minified Vite build output; long lines are expected for bundled Vue components. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-9vUUhE9J.js | AI (source-diff): Minified Vite build output for a frontend library; long lines are expected bundled code. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BuFOMGSo.js | AI (source-diff): Standard Vite-bundled ESM output; Vue/lodash imports misidentified as network+exec pattern. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-Jq9ukHjM.js | AI (source-diff): Vite-bundled Vue component chunk; no actual network fetch or eval — minified imports from sibling chunks only. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DUiVfobT.js | AI (source-diff): Standard Vite minified output; long lines are normal for bundled Vue components, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-C1gAECu3.js | AI (source-diff): Standard Vite minified output; long lines are normal for bundled Vue components, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DUiVfobT.js | AI (source-diff): Vite-bundled Vue component chunk; no actual network fetch or eval — standard minified Vue/lodash bundle. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DH6GqUeF.js | AI (source-diff): Vite-bundled Vue component output; minified but not obfuscated, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DML-OwvR.js | AI (source-diff): Vite-bundled Vue component output; minified but not obfuscated, no malicious patterns. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-DML-OwvR.js | AI (source-diff): Network/exec pattern is from bundled Vue/browser runtime code, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BseRdW9f.js | AI (source-diff): Network/exec pattern is from bundled Vue runtime and lodash-es; no actual dropper behavior in sample. | ai | |
| source-diff | obfuscated-file:dist/SimpleButtonControl.vue_vue_type_style_index_0_scoped_17a4a240_lang-BseRdW9f.js | AI (source-diff): Standard Vite-minified Vue bundle; long lines are normal build output for this package. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DvYkBpzH.js | AI (source-diff): Standard Vite-minified Vue bundle; long lines are normal build output for this package. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-CvHKGQTr.js | AI (source-diff): Vite-minified ESM bundle; readable code, no obfuscation indicators. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-C5cOzVPC.js | AI (source-diff): Vite-bundled Vue/date-fns output; no actual network calls or dynamic exec in the sample — stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-mOEGN5Ue.js | AI (source-diff): Standard Vite-bundled Vue/date-fns output; no actual network fetch or eval present in samples. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-nsJBcFCj.js | AI (source-diff): Minified Vite build artifact; long lines are normal bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DgGRklWy.js | AI (source-diff): Minified Vite build artifact for a Vue component; long lines are normal bundler output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-nsJBcFCj.js | AI (source-diff): Standard Vite-bundled Vue component output; no actual network fetch or eval present in samples. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-Do0etb2v.js | AI (source-diff): Standard Vite-minified Vue component bundle; long lines are minification artifacts, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BlRVDpai.js | AI (source-diff): Bundle imports Vue reactivity and date-fns utilities; no actual network fetch or dynamic code execution present in sample. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-Do0etb2v.js | AI (source-diff): Bundle imports Vue/lodash utilities; no actual network fetch or dynamic code execution present in sample. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-Bk7bf81X.js | AI (source-diff): Standard Vite-minified Vue component bundle; long lines are minification artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-BQCvcmqS.js | AI (source-diff): Minified Vite build output for a UI component library; long lines are expected bundled code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-wdKO5CDb.js | AI (source-diff): Standard Vite-bundled ESM dist file; no actual network/exec payload, just minified Vue+utility code. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-BQCvcmqS.js | AI (source-diff): Standard Vite-bundled ESM dist file; no actual network/exec payload, just minified Vue+utility code. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-BoNZN7wg.js | AI (source-diff): Minified Vite build output for a UI component library; long lines are expected bundled code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_9a6ceb77_lang-lisURb-9.js | AI (source-diff): Minified Vite build output for a Vue component; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-BFzX4elt.js | AI (source-diff): Minified Vite build output for a Vue component; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_9a6ceb77_lang-lisURb-9.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network calls or dynamic exec in sample. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-Bjbd8EGK.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network calls or dynamic exec in sample. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-DndZYfl_.js | AI (source-diff): Minified Vite bundle; dynamic component resolution in Vue is not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-ASFeIuVd.js | AI (source-diff): Standard Vite minified output; long lines are expected in bundled dist files. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-ASFeIuVd.js | AI (source-diff): Minified Vite bundle; same false-positive pattern as localTimeUtils. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-CLbVTo3I.js | AI (source-diff): Standard Vite minified output; long lines are expected in bundled dist files. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-CewLhW6l.js | AI (source-diff): Minified Vite build output for a rich text editor component; long lines are expected bundler output. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-DuZjjKcZ.js | AI (source-diff): Minified Vite bundle; long lines are standard for this package's build output. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_2310b6b8_lang-DuZjjKcZ.js | AI (source-diff): Same pattern: standard Vite bundle with Vue dynamic component resolution, not network+exec malware. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CjAdGq92.js | AI (source-diff): Vite-bundled Vue component; resolveDynamicComponent is a Vue API, not malware dropper pattern. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-B5X5KcA6.js | AI (source-diff): Sample shows standard Vite-bundled Vue/date-fns code; no actual network calls or dynamic exec present. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-f4_oWidN.js | AI (source-diff): Standard Vite minified bundle; long lines are minified Vue component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DkV_1bmO.js | AI (source-diff): Standard Vite minified bundle; long lines are minified Vue component code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-f4_oWidN.js | AI (source-diff): Vite-bundled ESM chunk; Vue runtime imports misidentified as network+exec; stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/DateTimeInput-DMWRo8Rw.js | AI (source-diff): Vite-bundled ESM chunk; Vue runtime imports misidentified as network+exec; stable pattern for this package. | ai | |
| npm-metadata | url-dep:v-calendar | AI (npm-metadata): KNIME-owned Bitbucket fork used only in devDependencies; no runtime impact on consumers. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-DuNRJy9L.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network+exec payload, just minified ESM imports. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_625edfbe_lang-DuNRJy9L.js | AI (source-diff): Minified Vite build output for a Vue component library; long lines are expected bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-Cd0CGkK3.js | AI (source-diff): Minified Vite build output for a Vue component library; long lines are expected bundler output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/DateTimeInput-DTyyMh2m.js | AI (source-diff): Standard Vite-bundled Vue component; no actual network+exec payload, just minified ESM imports. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-EKCgcK7i.js | AI (source-diff): Minified Vite build artifact; long lines are normal for bundled Vue component output. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-D-3Bt71E.js | AI (source-diff): Minified Vite build artifact; long lines are normal for bundled Vue component output. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-EKCgcK7i.js | AI (source-diff): Standard Vite-bundled Vue ESM output; no actual network fetch or eval patterns in the sample. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-BcdHc4dG.js | AI (source-diff): Standard Vite-bundled Vue ESM output; no actual network fetch or eval patterns in the sample. | ai | |
| source-diff | large-new-source-files | AI (source-diff): KNIME component library; large number of split Vite chunks is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-CSDuFZoP.js | AI (source-diff): Minified Vite build output; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/RichTextControl-DboN_qGd.js | AI (source-diff): Minified Vite build output; long lines are normal for bundled Vue components. | ai | |
| source-diff | net-exec-file:dist/SectionHeading.vue_vue_type_style_index_0_scoped_c541eb08_lang-CSDuFZoP.js | AI (source-diff): Same pattern: bundled Vue/lodash code, no real network+exec payload. | ai | |
| source-diff | net-exec-file:dist/localTimeUtils-CutK8k0h.js | AI (source-diff): Standard Vite-bundled Vue component; no actual fetch/eval — analyzer fires on minified ESM imports. | ai | |
| phantom-deps | phantom-dep:@knime/rich-text-editor | AI (phantom-deps): Same-org dep used indirectly; stable false positive. | ai | |
| phantom-deps | phantom-dep:@knime/kds-components | AI (phantom-deps): Same-org dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@jsonforms/vue-vanilla | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:@floating-ui/vue | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:focus-trap-vue | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:@knime/styles | AI (phantom-deps): Same-org dep; declared and used within KNIME ecosystem. | ai | |
| phantom-deps | phantom-dep:@knime/utils | AI (phantom-deps): Same-org dep; declared and used within KNIME ecosystem. | ai | |
| phantom-deps | phantom-dep:tabbable | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Declared runtime dep; used transitively or in config files, not a security concern. | ai |
Versions (showing 51 of 100)
| Version | Deps | Published |
|---|---|---|
| 1.23.0 | 11 / 14 | |
| 1.21.20 | 12 / 14 | |
| 1.21.19 | 12 / 14 | |
| 1.21.17 | 12 / 14 | |
| 1.21.15 | 12 / 14 | |
| 1.21.14 | 12 / 14 | |
| 1.21.12 | 14 / 16 | |
| 1.21.9 | 14 / 16 | |
| 1.21.8 | 14 / 16 | |
| 1.21.7 | 14 / 16 | |
| 1.21.6 | 14 / 16 | |
| 1.21.5 | 14 / 16 | |
| 1.21.0 | 14 / 16 | |
| 1.20.2 | 14 / 16 | |
| 1.20.1 | 14 / 16 | |
| 1.19.3 | 14 / 16 | |
| 1.19.1 | 14 / 16 | |
| 1.19.0 | 14 / 16 | |
| 1.18.14 | 14 / 16 | |
| 1.18.13 | 14 / 16 | |
| 1.18.12 | 14 / 16 | |
| 1.18.11 | 14 / 16 | |
| 1.18.10 | 14 / 16 | |
| 1.18.9 | 14 / 15 | |
| 1.18.8 | 14 / 15 | |
| 1.18.7 | 14 / 15 | |
| 1.18.6 | 14 / 15 | |
| 1.18.2 | 14 / 16 | |
| 1.18.1 | 14 / 16 | |
| 1.17.4 | 14 / 16 | |
| 1.17.3 | 14 / 16 | |
| 1.17.2 | 14 / 16 | |
| 1.17.0 | 14 / 16 | |
| 1.16.8 | 14 / 16 | |
| 1.16.7 | 14 / 16 | |
| 1.16.6 | 14 / 16 | |
| 1.16.5 | 14 / 16 | |
| 1.16.4 | 14 / 16 | |
| 1.16.2 | 14 / 16 | |
| 1.16.1 | 14 / 16 | |
| 1.16.0 | 14 / 16 | |
| 1.15.48 | 14 / 16 | |
| 1.15.46 | 14 / 16 | |
| 1.15.45 | 14 / 16 | |
| 1.15.44 | 14 / 16 | |
| 1.15.43 | 14 / 16 | |
| 1.15.42 | 13 / 16 | |
| 1.15.41 | 13 / 16 | |
| 1.15.40 | 13 / 16 | |
| 1.15.35 | 13 / 16 | |
| 1.15.34 | 13 / 16 |
v1.23.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.20
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.19
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.17
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.12
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.9
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.8
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.7
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.6
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.5
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.3
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.9
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.8
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.7
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.3
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.8
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.7
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.6
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.5
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.4
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.48
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.46
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.45
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.44
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.43
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.42
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.41
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.35
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.34
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.