@office-open/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @noble/hashes is a well-audited crypto library; replaces hash.js for SHA usage visible in bundle. | ai | |
| source-diff | obfuscated-file:dist/index-BqJRDf5H.d.mts | AI (source-diff): Type declaration bundle; long lines are concatenated type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/smartart-DCY-Vdv7.mjs | AI (source-diff): Bundler output with hash in filename; samples show readable OOXML SmartArt code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src-DPuDEZYF.mjs | AI (source-diff): Bundler chunk; samples show legitimate OOXML library code with known imports. | ai | |
| source-diff | obfuscated-file:dist/theme-CiNzdl-9.mjs | AI (source-diff): Bundler output; sample shows readable theme XML generation code. | ai | |
| source-diff | obfuscated-file:dist/smartart-3Aw0Aho1.mjs | AI (source-diff): File is readable bundled ESM output from a TypeScript build, not obfuscated; long lines are from bundler, not malicious encoding. | ai | |
| source-diff | obfuscated-file:dist/smartart-9ZpWgmIy.mjs | AI (source-diff): Bundled ESM output; sampled code is clearly readable SmartArt category mappings. | ai | |
| source-diff | obfuscated-file:dist/drawingml-B-2eEHAF.mjs | AI (source-diff): Bundled ESM output with long lines from template literals; code is readable and legitimate OOXML logic. | ai | |
| source-diff | obfuscated-file:dist/theme-FWD_20fH.mjs | AI (source-diff): Bundled ESM output; long lines are XML template literals, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-DEvpdl1o.d.mts | AI (source-diff): Bundled TypeScript declaration file; long lines are concatenated interface definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-C-DvIxek.d.mts | AI (source-diff): TypeScript declaration file with readable interface definitions; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/drawingml-anlfMLLZ.mjs | AI (source-diff): Bundled ESM output with readable code; long lines from template literals, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/smartart-BAhTD2yA.mjs | AI (source-diff): Bundled ESM output with readable SmartArt layout data; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/theme-DmJXjgQs.mjs | AI (source-diff): Bundled ESM output; long lines are XML template literals, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): Long lines are bundled ESM imports from a Vite/rollup build; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index.d.ts | AI (source-diff): TypeScript declaration file with long import lines from bundler; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/smartart-DGNfjKA9.js | AI (source-diff): File contains readable source-mapped code; long lines are bundled imports. | ai | |
| source-diff | obfuscated-file:dist/smartart-vyDm6U1_.mjs | AI (source-diff): File is standard bundled ESM output with readable code; long-line heuristic fires on minified build artifacts for this package. | ai | |
| source-diff | obfuscated-file:dist/smartart-BKz8xM1k.mjs | AI (source-diff): File is readable bundled ESM output with comments and named identifiers; long lines are from bundler, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/smartart-DBQ_rRfK.mjs | AI (source-diff): Minified ESM build output; sample is readable OOXML layout data, not obfuscation. Expected for this package's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/smartart-CwzSHTBd.mjs | AI (source-diff): Bundled ESM output from vp pack; long lines are minified but readable OOXML layout data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/smartart-CdBk8E0n.mjs | AI (source-diff): Standard bundled ESM output for an OOXML library; content is readable layout constants, not obfuscated malware. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): Declared runtime dep; used indirectly through bundled output. | ai | |
| source-diff | obfuscated-file:dist/smartart-C-ZIRmWU.mjs | AI (source-diff): Standard minified ESM build output for OOXML SmartArt; content is clearly legitimate XML component code. | ai | |
| source-diff | obfuscated-file:dist/xml-components-Csq7gWPd.mjs | AI (source-diff): Standard minified ESM build output for XML components; content is clearly legitimate library code. | ai | |
| phantom-deps | phantom-dep:fflate | AI (phantom-deps): Declared runtime dep; used via bundled archive.mjs output, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:hash.js | AI (phantom-deps): Declared runtime dep; used indirectly through bundled output. | ai | |
| source-diff | obfuscated-file:dist/smartart-Cx1qa6k_.mjs | AI (source-diff): Long lines are bundled ESM output, not obfuscation; code is readable and domain-appropriate. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped OOXML library; name similarity to 'cors' is coincidental, not impersonation. | ai |
Versions (showing 35 of 35)
| Version | Deps | Published |
|---|---|---|
| 0.9.2 | 3 / 0 | |
| 0.9.1 | 3 / 0 | |
| 0.8.1 | 5 / 0 | |
| 0.8.0 | 5 / 0 | |
| 0.7.1 | 5 / 0 | |
| 0.7.0 | 4 / 0 | |
| 0.6.10 | 4 / 0 | |
| 0.6.9 | 4 / 0 | |
| 0.6.8 | 4 / 0 | |
| 0.6.7 | 4 / 0 | |
| 0.6.6 | 4 / 0 | |
| 0.6.5 | 4 / 0 | |
| 0.6.4 | 4 / 0 | |
| 0.6.3 | 4 / 0 | |
| 0.6.2 | 4 / 0 | |
| 0.6.1 | 4 / 0 | |
| 0.6.0 | 4 / 0 | |
| 0.5.3 | 4 / 0 | |
| 0.5.2 | 4 / 0 | |
| 0.5.1 | 4 / 0 | |
| 0.5.0 | 4 / 0 | |
| 0.4.6 | 4 / 0 | |
| 0.4.5 | 4 / 0 | |
| 0.4.4 | 4 / 0 | |
| 0.4.3 | 4 / 0 | |
| 0.4.2 | 4 / 0 | |
| 0.4.1 | 4 / 0 | |
| 0.4.0 | 4 / 0 | |
| 0.3.6 | 4 / 0 | |
| 0.3.5 | 4 / 0 | |
| 0.3.4 | 4 / 0 | |
| 0.3.3 | 4 / 0 | |
| 0.3.2 | 4 / 0 | |
| 0.3.1 | 4 / 0 | |
| 0.3.0 | 4 / 0 |
v0.9.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.6
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.5
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.4
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.3
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.2
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.5
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
2 findingsPackage name '@office-open/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.