@umijs/deps

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

xusd320yifankakaxixierenyuanstormslowlyxiefengniansorryccchenshuai2144kuitospeachscriptxiaohuoni

Keywords

umi

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:compiled/prompts/index.js	AI (source-diff): Minified bundle of the 'prompts' npm library; standard vendoring pattern for @umijs/deps.	ai	2026/05/22
source-diff	encoded-string-file:compiled/webpack/5/bundle5.js	AI (source-diff): Long base64 string is a WebAssembly binary (es-module-lexer); standard in webpack 5 bundle.	ai	2026/05/22
semgrep	semgrep:env-spread	AI (semgrep): Inside compiled/execa bundle; expected behavior for process spawning library.	ai	2026/05/22
semgrep	semgrep:child-process-import	AI (semgrep): Compiled address/execa/cross-spawn bundles legitimately use child_process.	ai	2026/05/22
semgrep	semgrep:new-function-constructor	AI (semgrep): Fires in compiled babel-loader/template engine bundles; expected pattern.	ai	2026/05/22
semgrep	semgrep:dynamic-require	AI (semgrep): Compiled webpack/babel bundles use dynamic require for plugin loading; expected.	ai	2026/05/22
semgrep	semgrep:eval-usage	AI (semgrep): eval in compiled bundles (body-parser, webpack); standard vendored code pattern.	ai	2026/05/22
semgrep	semgrep:base64-decode	AI (semgrep): Base64 in cacache bundle for content hashing; not a payload.	ai	2026/05/22
semgrep	semgrep:hex-decode	AI (semgrep): Hex decode in cacache for integrity checking; expected.	ai	2026/05/22
semgrep	semgrep:env-bulk-read	AI (semgrep): debug library reads process.env keys; standard config library behavior.	ai	2026/05/22
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get in speed-measure-webpack-plugin for plugin wrapping; legitimate.	ai	2026/05/22
semgrep	semgrep:http-module-request	AI (semgrep): HTTP request in webpack lazy-compilation-node.js is webpack's lazy compilation feature.	ai	2026/05/22
phantom-deps	phantom-dep:regenerate	AI (phantom-deps): Used via config/scripts, not direct import; stable false positive for this package.	ai	2026/05/22
phantom-deps	phantom-dep:regenerate-unicode-properties	AI (phantom-deps): Used via config/scripts; stable false positive for this package.	ai	2026/05/22
phantom-deps	phantom-dep:jest-worker	AI (phantom-deps): Used indirectly via webpack; stable false positive for this package.	ai	2026/05/22

Versions (showing 49 of 49)

Version	Deps	Published
3.5.43	8 / 152	2024-09-12
0.8.1	5 / 147	2021-04-01
0.8.0	5 / 147	2021-03-31
0.7.1	4 / 146	2021-03-23
0.7.0	4 / 146	2021-03-23
0.6.0	4 / 146	2021-03-23
0.5.0	4 / 146	2021-03-19
0.4.3	4 / 146	2021-03-16
0.4.2	4 / 146	2021-03-12
0.4.1	4 / 146	2021-03-12
0.3.3	4 / 146	2021-03-11
0.3.2	4 / 146	2021-03-11
0.3.1	4 / 146	2021-03-11
0.3.0	4 / 146	2021-03-11
0.2.34	4 / 145	2021-03-11
0.2.33	4 / 145	2021-03-11
0.2.32	4 / 145	2021-03-10
0.2.31	4 / 145	2021-03-09
0.2.30	4 / 145	2021-03-09
0.2.29	4 / 145	2021-03-08
0.2.28	4 / 145	2021-03-08
0.2.27	4 / 145	2021-03-08
0.2.26	4 / 145	2021-03-08
0.2.25	4 / 145	2021-03-08
0.2.24	4 / 145	2021-02-26
0.2.23	5 / 145	2021-02-26
0.2.22	5 / 145	2021-02-24
0.2.21	5 / 145	2021-02-24
0.2.20	5 / 137	2021-02-23
0.2.19	5 / 138	2021-02-23
0.2.18	5 / 137	2021-02-23
0.2.17	5 / 137	2021-02-23
0.2.16	5 / 136	2021-02-23
0.2.15	5 / 136	2021-02-23
0.2.14	5 / 136	2021-02-22
0.2.13	5 / 136	2021-02-22
0.2.12	5 / 134	2021-02-22
0.2.11	5 / 134	2021-02-22
0.2.10	5 / 134	2021-02-22
0.2.9	5 / 134	2021-02-22
0.2.8	5 / 134	2021-02-22
0.2.7	5 / 134	2021-02-18
0.2.6	5 / 132	2021-02-18
0.2.4	5 / 132	2021-02-18
0.2.3	5 / 132	2021-02-17
0.2.2	5 / 132	2021-02-17
0.2.1	5 / 132	2021-02-17
0.2.0	4 / 133	2021-02-17
0.1.0	4 / 101	2021-01-24

v3.5.43

5 findings

HIGH Publisher changed: sorrycc → peachscript (on 2024-09-12) provenance

This version was published by a different npm account than previous versions on 2024-09-12. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: compiled/prompts/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: compiled/webpack/5/bundle5.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH env-spread: compiled/execa/index.js:1 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/umijs/umi/blob/2e2c0089fc0483404c45867c093f24deb72a5db4/compiled/execa/index.js#L1 > 1 | module.exports=(()=>{var e={205:(e,t,r)=>{var n=r(223);var o=function(){};var i=function(e){return e.setHeader&&typeof e

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.