@superblocksteam/vite-plugin-file-sync
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-migration/references/yaml-block-mapping.generated.d.ts | AI (source-diff): Same pattern: generated TypeScript declaration exporting AI skill reference content as a string constant. | ai | |
| source-diff | obfuscated-file:dist/ai-service/test-utils/app-generation-mocks/orders-app.d.ts | AI (source-diff): Long lines are test mock strings containing readable TypeScript/JSON, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/third-party-migration/skill.generated.d.ts | AI (source-diff): Same pattern: generated .d.ts exporting a markdown string constant; plainly readable content. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-migration/skill.generated.d.ts | AI (source-diff): Same pattern: generated .d.ts exporting a markdown string constant; plainly readable content. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/third-party-migration/replit.generated.d.ts | AI (source-diff): Same pattern: generated .d.ts exporting a markdown string constant; plainly readable content. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/third-party-migration/lovable.generated.d.ts | AI (source-diff): Same pattern: generated .d.ts exporting a markdown string constant; plainly readable content. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-migration/references/focused-debug.generated.d.ts | AI (source-diff): Long-line .d.ts files are generated TypeScript declarations exporting readable markdown strings, not obfuscated code. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a declared runtime dep used in config/type validation; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/subprompts/full-examples.js | AI (source-diff): Auto-generated markdown-as-string export; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-components/DatePickerPropsDocs.js | AI (source-diff): Auto-generated markdown-as-string export; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-typedefs/EventFlow.js | AI (source-diff): Auto-generated markdown-as-string export; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-components/InputPropsDocs.d.ts | AI (source-diff): Auto-generated type declaration with markdown string; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/subprompts/full-examples.d.ts | AI (source-diff): Auto-generated type declaration with markdown string; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-typedefs/EventFlow.d.ts | AI (source-diff): Auto-generated type declaration with markdown string; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-components/DatePickerPropsDocs.d.ts | AI (source-diff): Auto-generated type declaration with markdown string; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-components/TextPropsDocs.js | AI (source-diff): Auto-generated markdown-as-string export; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-components/TablePropsDocs.js | AI (source-diff): Auto-generated markdown-as-string export; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompts/generated/library-components/InputPropsDocs.js | AI (source-diff): Auto-generated markdown-as-string export; long lines are string content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-frontend/skill.generated.d.ts | AI (source-diff): Generated .d.ts with long string literal containing markdown docs; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/skill.generated.d.ts | AI (source-diff): Generated .d.ts with long string literal containing markdown docs; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/references/sql-databases.generated.d.ts | AI (source-diff): Generated .d.ts with long string literal containing markdown docs; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompt-builder-service/static-fragments/platform-parts/system-incremental.js | AI (source-diff): Long-line content is an AI prompt string literal auto-generated from markdown; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompt-builder-service/static-fragments/platform-parts/system-specific-edit.d.ts | AI (source-diff): Type declaration for an AI prompt string; long line is the prompt content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompt-builder-service/static-fragments/platform-parts/system-incremental.d.ts | AI (source-diff): Type declaration for an AI prompt string; long line is the prompt content, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompt-builder-service/static-fragments/platform-parts/system-specific-edit.js | AI (source-diff): Long-line content is an AI prompt string literal auto-generated from markdown; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/ai-service/prompt-builder-service/static-fragments/platform-parts/superblocks-theming-chakra-new.js | AI (source-diff): Long lines are embedded markdown documentation strings (AI prompts), not obfuscated code. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/ai-service/agent/apis-system-prompt.d.ts | AI (source-diff): Long lines are embedded AI system prompt strings in a .d.ts declaration file, not obfuscated executable code. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 260 new files correspond to the new ai-service module; consistent with feature expansion, not injection. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (tar, tokenlens, @babel/types, etc.) are all reputable packages matching the new AI service feature. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are within the same Superblocks org; consistent with team growth. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-frontend/references/embedding.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/references/graphql.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/references/rest-apis.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/superblocks-api/references/code-blocks.generated.d.ts | AI (source-diff): Long-line .d.ts files export markdown documentation strings; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/ai-service/skills/system/third-party-migration/claude-design.generated.d.ts | AI (source-diff): Long lines are markdown documentation embedded as a string literal in a generated .d.ts file, not obfuscated code. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped, loaded by convention in build tooling. | ai | |
| phantom-deps | phantom-dep:lucide-static | AI (phantom-deps): Config-referenced; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/turndown | AI (phantom-deps): Type-only dep; not directly imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:eventsource-parser | AI (phantom-deps): Config-referenced; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:lru-cache | AI (phantom-deps): Config-referenced dep in a build tool; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@superblocksteam/linter | AI (phantom-deps): Same-org sibling dep; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:tokenlens | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:winston | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:acorn | AI (phantom-deps): Monorepo build tool; phantom-dep heuristic fires on config-referenced deps, stable false positive. | ai | |
| phantom-deps | phantom-dep:ignore | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/api-logs | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@anthropic-ai/tokenizer | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@lezer/common | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:path-to-regexp | AI (phantom-deps): Same monorepo pattern; stable false positive for this package. | ai |
Versions (showing 13 of 115)
| Version | Deps | Published |
|---|---|---|
| 2.0.12 | 33 / 28 | |
| 2.0.11 | 33 / 28 | |
| 2.0.10 | 33 / 26 | |
| 2.0.9 | 33 / 25 | |
| 2.0.8 | 33 / 25 | |
| 2.0.7 | 33 / 25 | |
| 2.0.6 | 32 / 25 | |
| 2.0.5 | 32 / 25 | |
| 2.0.4 | 31 / 25 | |
| 2.0.3 | 31 / 25 | |
| 2.0.2 | 31 / 25 | |
| 2.0.1 | 31 / 25 | |
| 2.0.0 | 31 / 25 |
v2.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.9
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.8
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.