@voidzero-dev/vite-plus-core
The Unified Toolchain for the Web
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/tsdown/dist-wWM45aJq.js | AI (source-diff): Bundled build output from tsdown; long lines from minification, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package bundles vite+rolldown+tsdown; large dist is expected and file count varies with chunk hashes. | ai | |
| source-diff | encoded-string-file:dist/vite/node/chunks/build.js | AI (source-diff): WebAssembly modules (xxhash64, etc.) encoded as base64 — standard for bundled hash implementations. | ai | |
| source-diff | obfuscated-file:dist/rolldown/shared/rolldown-build-CgMNHFY3.mjs | AI (source-diff): Bundled rolldown build module; minified output standard for this package. | ai | |
| source-diff | obfuscated-file:dist/rolldown/shared/prompt-DV1XbtjC.mjs | AI (source-diff): Bundled consola prompt module; minified but readable, not obfuscated. | ai | |
| source-diff | net-exec-file:dist/tsdown/dist-wWM45aJq.js | AI (source-diff): Build tool legitimately uses child_process (fork/spawn) and network APIs for dev server. | ai | |
| source-diff | net-exec-file:dist/tsdown/dist-DTzJRoOQ.js | AI (source-diff): Build tool legitimately uses child_process (fork/spawn) and network APIs. | ai | |
| source-diff | obfuscated-file:dist/tsdown/dist-DTzJRoOQ.js | AI (source-diff): Bundled build output from tsdown; long lines are minified vendor code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/tsdown/dist-DL4hnQY2.js | AI (source-diff): Bundled build output from tsdown; minified but not obfuscated. Stable for this package. | ai | |
| source-diff | net-exec-file:dist/tsdown/dist-DL4hnQY2.js | AI (source-diff): Build tool legitimately uses child_process (fork/spawn) and network; not malicious. | ai | |
| source-diff | obfuscated-file:dist/rolldown/shared/rolldown-build-DrXmg2RO.mjs | AI (source-diff): Bundled rolldown build output; long lines from minification, not obfuscation. | ai | |
| source-diff | encoded-string-file:dist/vite/node/chunks/dist.js | AI (source-diff): HTML entity decode trie (entities package) and WASM binary — standard bundled data. | ai | |
| source-diff | obfuscated-file:dist/tsdown/dist-CtF_Stv5.js | AI (source-diff): File is minified build output of tsdown bundler — readable imports, standard sourcemap codec, no obfuscation. Expected artifact for a build toolchain package. | ai | |
| source-diff | net-exec-file:dist/tsdown/dist-CtF_Stv5.js | AI (source-diff): Network and child_process usage is expected in a build tool (Vite dev server + TypeScript compiler invocation). No dropper/loader patterns in the sample. | ai | |
| source-diff | obfuscated-file:dist/rolldown/shared/rolldown-build-CYoDea9V.mjs | AI (source-diff): Bundled rolldown distribution file. Minified lines are expected bundler output for rolldown internals. Not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/tsdown/dist-CY3M22aR.js | AI (source-diff): Network+exec pattern comes from build tooling (fork/spawn child processes for compilation, fs reads). This is expected behavior for a build toolchain package, not dropper malware. | ai | |
| source-diff | obfuscated-file:dist/tsdown/dist-CY3M22aR.js | AI (source-diff): This is bundled/minified build tool output (tsdown integration). Long lines are expected in bundled dist files for this build toolchain package. | ai | |
| source-diff | obfuscated-file:dist/tsdown/dist-dJp148cE.js | AI (source-diff): This is a bundled build artifact from tsdown/rolldown with content-hash filename. The sample shows readable, legitimate build-tool code — not obfuscation. Pattern is stable for this package. | ai | |
| source-diff | net-exec-file:dist/tsdown/dist-dJp148cE.js | AI (source-diff): fork/spawn usage is expected in a TypeScript build toolchain (tsdown). Network + process execution is the core functionality of a build tool, not malware. SLSA provenance confirms legitimate CI publish. | ai | |
| source-diff | encoded-string-file:dist/vite/node/chunks/build2.js | AI (source-diff): Long encoded strings are Base64-encoded WebAssembly binaries (xxhash64 from loader-utils) bundled into the dist output — a standard and legitimate pattern for WASM embedding. | ai | |
| source-diff | encoded-string-file:dist/vite/node/chunks/node.js | AI (source-diff): Long encoded string is a Base64-encoded WebAssembly binary (CSS/JS parser) bundled into dist output — standard WASM embedding pattern used by build tools like lightningcss. | ai | |
| source-diff | obfuscated-file:dist/tsdown/dist-DSi2MWPQ.js | AI (source-diff): Large bundled build artifact from tsdown bundler; content is readable minified JS with standard imports, not obfuscation. Expected for a build tool package. | ai | |
| source-diff | net-exec-file:dist/tsdown/dist-DSi2MWPQ.js | AI (source-diff): fork/spawn usage is for TypeScript compilation orchestration in a build tool; network calls are standard toolchain operations. No malicious dropper pattern present. | ai | |
| bogus-package | bogus-package | AI (bogus-package): yyx990803 flag is a false positive for this legitimate VoidZero/Vite ecosystem package with SLSA provenance and official GitHub repo. | ai |
Versions (showing 100 of 120)
v0.1.23
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.22
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.21
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.20
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.19
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.16
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.13
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.12
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.