← Home

@nocobase/plugin-file-manager

npm Homepage

Provides files storage services with files collection template and attachment field.

19
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

chenosjiannlu

Keywords

CollectionsCollection fields

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/node_modules/cos-nodejs-sdk-v5/index.js AI (source-diff): Minified webpack bundle of the legitimate cos-nodejs-sdk-v5 Tencent COS SDK; not malicious obfuscation. ai
source-diff net-exec-file:dist/node_modules/cos-nodejs-sdk-v5/index.js AI (source-diff): Network+exec pattern is inherent to the COS SDK bundle (HTTP requests + dynamic module loading); not a dropper. ai
source-diff obfuscated-file:dist/node_modules/ali-oss/lib/client.js AI (source-diff): Long lines are from minified bundling of ali-oss and its quickjs-emscripten dependency. Not obfuscation — legitimate open-source library code. ai
source-diff net-exec-file:dist/node_modules/ali-oss/dist/aliyun-oss-sdk.js AI (source-diff): This is the legitimate Alibaba Cloud OSS browser SDK v6.20.0 (ali-oss npm package). Network calls are to OSS endpoints; no malicious code execution pattern. ai
source-diff large-new-source-files AI (source-diff): Large file count increase is explained by bundling the ali-oss SDK and its dependencies into dist/node_modules for the first time in this version. ai
source-diff net-exec-file:dist/node_modules/ali-oss/lib/client.js AI (source-diff): Bundled ali-oss client with quickjs-emscripten sandbox. Network calls are for OSS storage operations; dynamic eval is the quickjs JS sandbox, not malware. ai
source-diff net-exec-file:dist/node_modules/ali-oss/dist/aliyun-oss-sdk.min.js AI (source-diff): Minified version of the legitimate ali-oss browser SDK. Same rationale as the non-minified version — standard cloud storage SDK behavior. ai

Versions (showing 19 of 119)

Version Deps Published
1.9.16 1 / 25
1.9.15 1 / 25
1.9.14 1 / 25
1.9.13 1 / 25
1.9.12 1 / 25
1.9.11 1 / 25
1.9.10 1 / 25
1.9.9 1 / 25
1.9.8 1 / 25
1.9.7 1 / 25
1.9.6 1 / 25
1.9.5 1 / 25
1.9.4 1 / 25
1.9.3 1 / 25
1.9.2 1 / 25
1.9.1 1 / 25
1.9.0 1 / 25
1.8.33 1 / 25
1.8.32 1 / 25

v1.9.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.33

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.32

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.