@module-federation/dts-plugin
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/expose-rpc-mEaCWCcd.js | AI (source-diff): Bundled RPC server code; net+exec is core functionality for this DTS plugin. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc-BgxOTFXQ.mjs | AI (source-diff): ESM variant of same bundled RPC server; stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/expose-rpc-CQq6zYK-.js | AI (source-diff): This is a legitimate build artifact for the dts-plugin's RPC server. Network (undici/WebSocket) + child_process usage is expected for remote type fetching and synchronization in Module Federation. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc-B-zm7DmJ.mjs | AI (source-diff): ESM equivalent of the same RPC server artifact. Network and process execution are core to this package's documented type-sharing functionality. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc-DMhY1i8A.mjs | AI (source-diff): ESM variant of the same bundled RPC server artifact. Legitimate imports matching declared deps; standard rolldown hash-suffixed output. No malicious indicators. | ai | |
| source-diff | net-exec-file:dist/expose-rpc-BLAH20uj.js | AI (source-diff): Bundled RPC server for module federation DTS sharing; network+fs+child_process usage is expected and all deps are declared. No obfuscation or exfiltration patterns. SLSA provenance attested. | ai | |
| source-diff | net-exec-file:dist/expose-rpc-BAS_80E1.js | AI (source-diff): Bundled build artifact for a DTS plugin; network (axios/http/https) and process (child_process) usage is expected for fetching remote type declarations and running tsc. No obfuscation or malicious payload. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc-CyOKS7gM.mjs | AI (source-diff): ESM variant of the same bundled artifact; same rationale — legitimate DTS plugin functionality, SLSA provenance attested, no malicious indicators. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc-DsABkfLc.mjs | AI (source-diff): ESM equivalent of the same bundled RPC server code; same rationale — legitimate build tool functionality with SLSA provenance confirming CI/CD origin. | ai | |
| source-diff | net-exec-file:dist/expose-rpc-DkHFNYya.js | AI (source-diff): Bundled dist output for the DTS plugin's RPC server; imports are all legitimate known packages. Network+exec usage is expected for a build tool that fetches remote types and spawns TS compilation. | ai | |
| source-diff | net-exec-file:dist/esm/chunk-MV6M4VFH.js | AI (source-diff): File implements a WebSocket-based dev server (DevServer.ts) using declared deps (isomorphic-ws, child_process). Pattern is consistent with MF dev tooling; no obfuscation or exfiltration. | ai | |
| source-diff | net-exec-file:dist/esm/chunk-RWXNVNFM.js | AI (source-diff): Network + exec pattern is a dev server broker (WebSocket + child_process.fork) for MF type synchronization — legitimate and consistent with the package's documented purpose. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation via Sigstore strongly mitigates account-takeover risk; dormancy is likely a gap in the release cadence for this monorepo package, not a compromise indicator. | ai | |
| source-diff | net-exec-file:dist/esm/chunk-JGZ276AJ.js | AI (source-diff): New chunk is bundled ESM output for a DTS/TypeScript build plugin; exec() calls invoke tsc, network calls support the module federation dev server. Legitimate build tool behavior, confirmed by SLSA provenance attestation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): undici replaces axios as HTTP client; both serve the same purpose. undici is a well-maintained Node.js core team package. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc--EENEdVk.mjs | AI (source-diff): ESM equivalent of the same RPC/broker bundle. Same legitimate pattern — network + child_process for DTS type sharing infrastructure. | ai | |
| source-diff | net-exec-file:dist/expose-rpc-BPeKtqLv.js | AI (source-diff): Bundled RPC/broker artifact for DTS distribution; network (undici/ws) + child_process (TypeScript compilation) is the package's documented design. Not malware. | ai | |
| source-diff | net-exec-file:dist/expose-rpc-C93yOgOB.js | AI (source-diff): This is a legitimate bundled build artifact for the dts-plugin RPC server. Network and child_process usage is core functionality for TypeScript declaration exchange between federated modules. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc-DJAoDLdo.mjs | AI (source-diff): ESM variant of the same legitimate RPC server bundle. Network/exec usage is expected and declared in package.json dependencies. SLSA provenance confirms CI/CD origin. | ai | |
| source-diff | net-exec-file:dist/esm/expose-rpc-Pg59hZO8.mjs | AI (source-diff): ESM equivalent of the same RPC server bundle; network+fs usage is expected and legitimate for this plugin's documented functionality. | ai | |
| source-diff | net-exec-file:dist/expose-rpc-xfJEPIyY.js | AI (source-diff): Bundled RPC server code for DTS exchange between federated modules; network+fs usage is expected and legitimate for this plugin's documented functionality. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Part of the module-federation/core monorepo; missing description is a cosmetic issue, not a malice signal for this established package. | ai | |
| phantom-deps | phantom-dep:rambda | AI (phantom-deps): rambda is a legitimate functional utility library; phantom detection likely reflects indirect usage paths in this plugin. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is a legitimate WebSocket dependency for a DTS distribution plugin; phantom detection likely reflects indirect usage paths. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package from module-federation/core; sparse README and missing keywords are typical for large monorepo packages, not spam indicators. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 2.5.0 | 10 / 10 | |
| 2.4.0 | 10 / 10 | |
| 2.3.3 | 10 / 10 | |
| 2.3.2 | 10 / 10 | |
| 2.3.1 | 11 / 10 | |
| 2.3.0 | 14 / 10 | |
| 2.2.3 | 15 / 10 | |
| 2.2.2 | 15 / 10 | |
| 2.2.1 | 15 / 10 | |
| 2.2.0 | 15 / 8 | |
| 2.1.0 | 15 / 8 | |
| 2.0.1 | 16 / 9 | |
| 2.0.0 | 16 / 9 | |
| 0.24.1 | 16 / 9 | |
| 0.24.0 | 16 / 9 | |
| 0.23.0 | 16 / 8 | |
| 0.22.1 | 16 / 8 | |
| 0.22.0 | 16 / 8 | |
| 0.21.6 | 16 / 8 | |
| 0.21.5 | 16 / 8 | |
| 0.21.4 | 16 / 8 | |
| 0.21.3 | 16 / 8 | |
| 0.21.2 | 16 / 8 | |
| 0.20.0 | 16 / 8 |
v2.5.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.3.3
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.3.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.3.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.3.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.3
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.24.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.24.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.23.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.22.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.22.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.21.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.21.5
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.21.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.21.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.21.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.