@sisense/sdk-ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/apply-styled-options-to-query-23D9br-S.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output for this SDK; not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-BagjzMqm.js | AI (source-diff): ESM counterpart bundle; same legitimate SDK patterns. | ai | |
| source-diff | obfuscated-file:dist/dimensions-D8r34WRI.cjs | AI (source-diff): Minified dimensions bundle; content shows DimensionalElement SDK code. | ai | |
| source-diff | obfuscated-file:dist/widget-composer-C72Io-3c.cjs | AI (source-diff): Minified widget-composer bundle; standard build artifact. | ai | |
| source-diff | net-exec-file:dist/utils-CsV-iYtb.js | AI (source-diff): Legitimate SDK patterns in ESM utils bundle. | ai | |
| source-diff | obfuscated-file:dist/utils-CsV-iYtb.js | AI (source-diff): ESM utils bundle; standard Vite output. | ai | |
| source-diff | net-exec-file:dist/utils-BwGnDoB0.cjs | AI (source-diff): Legitimate SDK patterns in utils bundle. | ai | |
| source-diff | obfuscated-file:dist/utils-BwGnDoB0.cjs | AI (source-diff): Minified utils bundle; standard build artifact. | ai | |
| source-diff | net-exec-file:dist/use-hover-CaSOzp0i.cjs | AI (source-diff): Legitimate SDK patterns in CJS bundle. | ai | |
| source-diff | obfuscated-file:dist/use-hover-CaSOzp0i.cjs | AI (source-diff): CJS counterpart of the same Vite bundle; standard minification. | ai | |
| source-diff | net-exec-file:dist/use-hover-B6VmMb06.js | AI (source-diff): Legitimate SDK network/execution patterns in bundled output. | ai | |
| source-diff | obfuscated-file:dist/use-hover-B6VmMb06.js | AI (source-diff): Minified Vite bundle chunk; content is recognizable React/Highcharts SDK code. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-23D9br-S.cjs | AI (source-diff): Network calls and dynamic code are part of the SDK's legitimate query/fetch logic, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-D5D8pRl2.cjs | AI (source-diff): CJS counterpart of the same Vite bundle; same rationale as the ESM file. | ai | |
| phantom-deps | phantom-dep:hash-it | AI (phantom-deps): Newly added runtime dep; phantom-dep heuristic fires because it's bundled rather than directly imported at top level. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large UI library with many bundled chunks; 62 new files consistent with Vite code-splitting refactor. | ai | |
| source-diff | obfuscated-file:dist/index-C9G8giSk.cjs | AI (source-diff): Minified Vite/Rollup bundle; content is Sisense SDK error strings and standard React code. | ai | |
| source-diff | obfuscated-file:dist/apply-styled-options-to-query-D5D8pRl2.cjs | AI (source-diff): Minified Vite/Rollup output; long lines are expected for bundled UI library code. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-CaP4IMrQ.js | AI (source-diff): Standard Vite-bundled UI library output; network calls are fetch/HTTP client code, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/utils-Db3U6oHa.js | AI (source-diff): Minified ESM utils chunk from Vite build pipeline. | ai | |
| source-diff | obfuscated-file:dist/apply-styled-options-to-query-k10gkPCG.cjs | AI (source-diff): Standard Vite minified CJS build chunk; consistent with SDK build pipeline. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-BzMAmDnD.js | AI (source-diff): Network calls are Sisense API fetches; dynamic execution is async generator pattern from bundler output. | ai | |
| source-diff | net-exec-file:dist/apply-styled-options-to-query-k10gkPCG.cjs | AI (source-diff): Same as ESM counterpart; bundled fetch + async generator, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/dimensions-huCJK0y6.cjs | AI (source-diff): Minified CJS chunk from Vite build; content is Sisense dimensional model code. | ai | |
| source-diff | obfuscated-file:dist/use-hover-CkmV6eu9.js | AI (source-diff): Minified ESM chunk; content is React hook and chart component code. | ai | |
| source-diff | net-exec-file:dist/use-hover-CkmV6eu9.js | AI (source-diff): Bundled fetch + async generator pattern; no exfiltration or shell execution. | ai | |
| source-diff | obfuscated-file:dist/use-hover-D_mBUhp9.cjs | AI (source-diff): Minified CJS chunk; content is React/i18n/Sisense SDK code. | ai | |
| source-diff | net-exec-file:dist/use-hover-D_mBUhp9.cjs | AI (source-diff): Bundled fetch + async generator; no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/utils-DM5vp1gw.cjs | AI (source-diff): Minified CJS utils chunk from Vite build pipeline. | ai | |
| source-diff | net-exec-file:dist/utils-DM5vp1gw.cjs | AI (source-diff): Bundled fetch + async generator pattern; consistent with SDK utilities. | ai | |
| source-diff | net-exec-file:dist/utils-Db3U6oHa.js | AI (source-diff): Bundled fetch + async generator; no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/widget-composer-CZ0_bPXK.cjs | AI (source-diff): Minified CJS chunk; consistent with SDK build output. | ai | |
| phantom-deps | phantom-dep:react-error-boundary | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:highcharts-react-official | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:highcharts-rounded-corners | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:@mui/icons-material | AI (phantom-deps): UI SDK pattern; MUI icons imported indirectly through component exports. | ai | |
| phantom-deps | phantom-dep:react-number-format | AI (phantom-deps): UI SDK pattern; re-exported for consumer convenience. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:fixed-data-table-2 | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/utilities | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/modifiers | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:markdown-to-jsx | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@emotion/cache | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-i18next | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:whatwg-fetch | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ts-deepmerge | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:proj4leaflet | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:date-fns-tz | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@mui/system | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:classnames | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:deepmerge | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Large monorepo bundle; phantom-dep heuristic fires on bundled/re-exported deps, stable false positive. | ai | |
| phantom-deps | phantom-dep:immer | AI (phantom-deps): Same monorepo bundle pattern; stable false positive. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 2.29.0 | 48 / 54 | |
| 2.28.0 | 47 / 54 | |
| 2.27.0 | 47 / 54 | |
| 2.26.0 | 47 / 54 | |
| 2.25.0 | 47 / 54 | |
| 2.24.0 | 46 / 54 |
v2.29.0
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.0
15 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.0
14 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.