@pisell/materials
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker for established packages. | ai | |
| source-diff | obfuscated-file:es/components/pisellToast/squareToast/renderImperatively.js | AI (source-diff): Babel-transpiled output (regenerator-runtime); standard build artifact, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Active UI component library with 1644 versions; incremental source file additions are expected and consistent with its release history. | ai | |
| source-diff | obfuscated-file:es/components/dataSourceComponents/dataSourceForm/urlUtils.js | AI (source-diff): File is Babel-transpiled ES module output (contains regenerator-runtime MIT header, @babel/helpers patterns). Long lines are a build artifact, not obfuscation. This package ships compiled ES modules as its distribution format. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established internal component library (1627 versions); minimal metadata is consistent with organizational tooling, not spam. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendar.js | AI (source-diff): File contains standard Babel-transpiled ES5 output (canonical helpers: _typeof, _objectSpread, _regeneratorRuntime). Long lines are minified compiled output, not malicious obfuscation. Normal for a React component library shipping compiled artifacts. | ai | |
| source-diff | obfuscated-file:es/components/pisellRecordBoard/shellFrame/Calendar/BookingCalendarDemo.js | AI (source-diff): File contains standard Babel-transpiled/bundled React component output with recognizable helpers (regeneratorRuntime, _typeof). Long lines are from bundling, not intentional obfuscation. Consistent with this UI component library's build pattern. | ai | |
| dependencies | unvetted-dep:@react-spring/web | AI (dependencies): @react-spring/web is a well-known, widely-used React animation library. Its use in a UI component library is expected and benign. | ai | |
| phantom-deps | phantom-dep:antd-mobile | AI (phantom-deps): antd-mobile is a legitimate declared dependency referenced in config files; phantom-dep finding is a packaging style issue, not a security concern. | ai |
Versions (showing 51 of 97)
| Version | Deps | Published |
|---|---|---|
| 6.11.87 | 30 / 45 | |
| 6.11.86 | 30 / 45 | |
| 6.11.85 | 30 / 45 | |
| 6.11.74 | 30 / 45 | |
| 6.11.72 | 30 / 45 | |
| 6.11.58 | 30 / 45 | |
| 6.11.50 | 30 / 45 | |
| 6.11.49 | 30 / 45 | |
| 6.11.48 | 30 / 45 | |
| 6.11.47 | 30 / 45 | |
| 6.11.46 | 30 / 45 | |
| 6.11.45 | 30 / 45 | |
| 6.11.44 | 30 / 45 | |
| 6.11.42 | 30 / 45 | |
| 6.11.41 | 30 / 45 | |
| 6.11.39 | 30 / 45 | |
| 6.11.38 | 30 / 45 | |
| 6.11.37 | 31 / 45 | |
| 6.11.36 | 31 / 45 | |
| 6.11.35 | 31 / 45 | |
| 6.11.34 | 31 / 45 | |
| 6.11.33 | 31 / 45 | |
| 6.11.32 | 31 / 45 | |
| 6.11.31 | 31 / 45 | |
| 6.11.30 | 31 / 45 | |
| 6.11.29 | 31 / 45 | |
| 6.11.28 | 31 / 45 | |
| 6.11.27 | 31 / 45 | |
| 6.11.20 | 30 / 41 | |
| 6.11.19 | 30 / 41 | |
| 6.11.18 | 30 / 41 | |
| 6.11.3 | 29 / 41 | |
| 6.11.2 | 29 / 41 | |
| 6.11.1 | 29 / 41 | |
| 6.9.5 | 29 / 41 | |
| 6.8.19 | 29 / 40 | |
| 6.8.18 | 29 / 40 | |
| 6.8.17 | 29 / 40 | |
| 6.8.13 | 29 / 40 | |
| 6.6.1 | 29 / 24 | |
| 6.5.9 | 29 / 24 | |
| 6.5.8 | 29 / 24 | |
| 6.5.7 | 29 / 24 | |
| 6.4.17 | 29 / 24 | |
| 6.4.16 | 29 / 24 | |
| 6.4.15 | 29 / 24 | |
| 6.4.14 | 29 / 24 | |
| 6.4.8 | 28 / 24 | |
| 6.4.7 | 28 / 24 | |
| 6.3.41 | 27 / 45 | |
| 6.3.40 | 27 / 45 |
v6.11.87
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.86
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.85
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: zsj1037797769.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.74
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.58
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.49
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.11.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.44
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.42
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.37
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.34
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.29
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.28
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.11.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2025-10-31, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.5.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2025-10-30, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.5.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (xiangfeng.xue) on 2025-10-30, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.4.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zsj1037797769) than the most recent previously approved version (zhiwei.wang) on 2025-11-07, but zsj1037797769 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v6.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.