@unocss/inspector
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/client/assets/index-ByEwpSde.js | AI (source-diff): Vite-bundled minified client SPA assets; expected for this inspector UI package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Monorepo release cadence; publisher antfu is highly trusted with SLSA provenance. | ai | |
| source-diff | net-exec-file:dist/client/assets/index-ByEwpSde.js | AI (source-diff): Browser fetch() for Vite modulepreload; not server-side exfiltration. | ai | |
| source-diff | obfuscated-file:dist/client/assets/_id_-CtmeWPdG.js | AI (source-diff): Vite-bundled minified client SPA assets; expected for this inspector UI package. | ai | |
| source-diff | obfuscated-file:dist/client/assets/_id_-B5f0FCLw.js | AI (source-diff): Vite-bundled client SPA chunk; minification is expected for browser assets. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-Baiadteo.js | AI (source-diff): Vite-bundled client SPA entry; minification is expected for browser assets. | ai | |
| source-diff | net-exec-file:dist/client/assets/index-Baiadteo.js | AI (source-diff): Browser-side fetch for modulepreload in Vite SPA bundle; not server-side exfil. | ai | |
| source-diff | net-exec-file:dist/client/assets/index-JjKgwI2w.js | AI (source-diff): Browser-side fetch + modulepreload in Vite bundle; not server-side dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/client/assets/_id_-CiHreCiF.js | AI (source-diff): Vite-bundled client SPA asset; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-JjKgwI2w.js | AI (source-diff): Vite-bundled client SPA asset; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/client/assets/_id_-Ido4yHB-.js | AI (source-diff): Vite-bundled browser client assets; minification expected for this package's inspector UI. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-DuJyx2-I.js | AI (source-diff): Vite-bundled browser client assets; minification expected for this package's inspector UI. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Monorepo CI publishes multiple packages in quick succession; stable pattern for unocss. | ai | |
| source-diff | net-exec-file:dist/client/assets/index-QTJOhmAn.js | AI (source-diff): Network+exec pattern is the Vite modulepreload polyfill (fetch for preloading, DOM manipulation for link injection). Standard Vite runtime, not malware. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-QTJOhmAn.js | AI (source-diff): Standard Vite-bundled client asset for the UnoCSS inspector UI. Minified frontend bundles are expected for this browser-based tool. | ai | |
| source-diff | obfuscated-file:dist/client/assets/_id_-DKhTag5g.js | AI (source-diff): Standard Vite-bundled client asset for the UnoCSS inspector UI. Minified frontend bundles are expected for this browser-based tool. | ai | |
| phantom-deps | phantom-dep:vue-flow-layout | AI (phantom-deps): vue-flow-layout is a declared runtime dep consumed by the Vite-built inspector UI; it's bundled into dist rather than directly imported in source, making the phantom-dep finding a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:colorette | AI (phantom-deps): colorette is explicitly declared as a runtime dependency in package.json; the phantom-dep finding is a false positive for this package. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 66.7.0 | 5 / 2 | |
| 66.6.8 | 5 / 2 | |
| 66.6.7 | 5 / 2 | |
| 66.6.6 | 5 / 2 | |
| 66.6.5 | 5 / 2 | |
| 66.6.4 | 5 / 2 | |
| 66.6.3 | 5 / 2 | |
| 66.6.2 | 5 / 2 | |
| 66.6.1 | 5 / 2 | |
| 66.6.0 | 6 / 1 | |
| 66.5.12 | 6 / 1 | |
| 66.5.10 | 6 / 1 | |
| 66.5.9 | 6 / 1 | |
| 66.5.7 | 6 / 1 | |
| 66.5.6 | 6 / 1 | |
| 66.5.5 | 6 / 1 | |
| 66.4.0 | 6 / 0 | |
| 66.2.0 | 6 / 0 | |
| 66.1.4 | 6 / 0 | |
| 66.1.3 | 6 / 0 | |
| 66.1.2 | 6 / 0 | |
| 66.1.1 | 6 / 0 | |
| 66.1.0 | 6 / 0 |
v66.7.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.6.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.5.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.5.10
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.5.9
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.5.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.4.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v66.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.