@voidzero-dev/vite-plus-test

The Unified Toolchain for the Web

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

yyx990803vitebotbroooooklynboshen

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:obug	AI (dependencies): obug is a debugging utility; expected in a test framework package. No security concern.	ai	2026/04/27
dependencies	unvetted-dep:@types/chai	AI (dependencies): @types/chai is the standard TypeScript types for chai assertions; entirely expected in a test framework.	ai	2026/04/27
npm-metadata	no-description	AI (npm-metadata): VoidZero automated build package; missing description is a metadata gap, not a security signal given 260k downloads and 117 versions.	ai	2026/04/27
phantom-deps	phantom-dep:tinyexec	AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type.	ai	2026/04/23
phantom-deps	phantom-dep:tinybench	AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type.	ai	2026/04/23
phantom-deps	phantom-dep:es-module-lexer	AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type.	ai	2026/04/23
phantom-deps	phantom-dep:tinyglobby	AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type.	ai	2026/04/23
phantom-deps	phantom-dep:@types/chai	AI (phantom-deps): TypeScript type package used by framework consumers; phantom detection is a known false positive for this pattern.	ai	2026/04/23
phantom-deps	phantom-dep:pixelmatch	AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): The spam-publisher signal fires on yyx990803 (Evan You, Vue/Vite creator) and vitebot (official Vite automation bot) — both are highly legitimate npm publishers. False positive for this package.	ai	2026/04/23
phantom-deps	phantom-dep:obug	AI (phantom-deps): Bundled test framework re-exports deps to consumers; phantom detection is expected for this package type.	ai	2026/04/23

Versions (showing 100 of 118)

Hide prereleases

Version	Deps	Published
0.1.21	13 / 28	2026-05-13
0.1.20	13 / 28	2026-04-29
0.1.19	13 / 28	2026-04-21
0.1.18	13 / 28	2026-04-15
0.1.17	13 / 28	2026-04-15
0.1.16	13 / 28	2026-04-06
0.1.15	13 / 28	2026-03-31
0.1.14	13 / 28	2026-03-24
0.1.13	13 / 28	2026-03-20
0.1.12	13 / 28	2026-03-16
0.1.11	13 / 28	2026-03-13
0.1.10	13 / 28	2026-03-13
0.1.9	13 / 26	2026-03-12
0.1.8	13 / 26	2026-03-12
0.1.7	13 / 26	2026-03-11
0.1.6	13 / 26	2026-03-11
0.1.5	13 / 26	2026-03-10
0.1.4	13 / 26	2026-03-10
0.1.3	13 / 26	2026-03-10
0.1.2	13 / 26	2026-03-09
0.1.1	13 / 26	2026-03-06
0.1.0	13 / 26	2026-03-06
0.1.20-alpha.1	13 / 28	2026-04-23
0.1.20-alpha.0	13 / 28	2026-04-22
0.1.19-alpha.3	13 / 28	2026-04-21
0.1.19-alpha.2	13 / 28	2026-04-19
0.1.19-alpha.1	13 / 28	2026-04-18
0.1.19-alpha.0	13 / 28	2026-04-16
0.1.18-alpha.0	13 / 28	2026-04-15
0.1.17-alpha.5	13 / 28	2026-04-14
0.1.17-alpha.4	13 / 28	2026-04-13
0.1.17-alpha.3	13 / 28	2026-04-12
0.1.17-alpha.2	13 / 28	2026-04-11
0.1.17-alpha.1	13 / 28	2026-04-08
0.1.17-alpha.0	13 / 28	2026-04-08
0.1.16-alpha.4	13 / 28	2026-04-06
0.1.16-alpha.3	13 / 28	2026-04-04
0.1.16-alpha.2	13 / 28	2026-04-03
0.1.16-alpha.1	13 / 28	2026-04-03
0.1.16-alpha.0	13 / 28	2026-04-02
0.1.15-alpha.7	13 / 28	2026-03-31
0.1.15-alpha.6	13 / 28	2026-03-30
0.1.15-alpha.5	13 / 28	2026-03-28
0.1.15-alpha.4	13 / 28	2026-03-28
0.1.15-alpha.3	13 / 28	2026-03-28
0.1.15-alpha.2	13 / 28	2026-03-27
0.1.15-alpha.1	13 / 28	2026-03-26
0.1.15-alpha.0	13 / 28	2026-03-25
0.1.14-alpha.3	13 / 28	2026-03-24
0.1.14-alpha.2	13 / 28	2026-03-24
0.1.14-alpha.1	13 / 28	2026-03-24
0.1.14-alpha.0	13 / 28	2026-03-23
0.1.13-alpha.5	13 / 28	2026-03-20
0.1.13-alpha.4	13 / 28	2026-03-19
0.1.13-alpha.3	13 / 28	2026-03-18
0.1.13-alpha.2	13 / 28	2026-03-18
0.1.13-alpha.1	13 / 28	2026-03-17
0.1.13-alpha.0	13 / 28	2026-03-17
0.1.12-alpha.2	13 / 28	2026-03-16
0.1.12-alpha.1	13 / 28	2026-03-15
0.1.5-alpha.0	13 / 26	2026-03-10
0.1.1-alpha.0	13 / 26	2026-03-06
0.1.0-alpha.0	13 / 26	2026-03-06
0.0.2-gd8fe16bf.20260302-1535	13 / 26	2026-03-02
0.0.2-ga54d12e6.20260302-0503	13 / 26	2026-03-02
0.0.2-g9a3a310d.20260303-0757	13 / 26	2026-03-03
0.0.2-g5d96ecf4.20260228-1157	13 / 26	2026-02-28
0.0.2-g3cb78c3c.20260305-0800	13 / 26	2026-03-05
0.0.2-g17a37daf.20260304-1136	13 / 26	2026-03-04
0.0.0-gd42e0ca6.20260225-0619	13 / 26	2026-02-25
0.0.0-gbe8891a5.20260227-1615	13 / 26	2026-02-27
0.0.0-g999c5046.20260226-1450	13 / 26	2026-02-26
0.0.0-g61d318d2.20260227-0939	13 / 26	2026-02-27
0.0.0-g52709db6.20260226-1136	13 / 26	2026-02-26
0.0.0-g28c55a1f.20260226-0707	13 / 26	2026-02-26
0.0.0-g0fd4d06d.20260225-1306	13 / 26	2026-02-25
0.0.0-ffb4d08a8edafe855c59736c0a38ee85a2373ebb	13 / 26	2026-01-26
0.0.0-f8668d9f60293be54f0729bc91ad614ba861cd97	13 / 26	2026-01-31
0.0.0-f74442ad.20260222-0755	13 / 26	2026-02-22
0.0.0-f48af939.20260205-0533	13 / 26	2026-02-05
0.0.0-ecd77118cbba8f0cb5fe091af0f6c7e14bf38261	13 / 26	2026-02-02
0.0.0-e8feafb8f8a08d271fb227752fbda933a3dfadfc	13 / 26	2026-02-02
0.0.0-e7cbd08c.20260221-0702	13 / 26	2026-02-21
0.0.0-e72bfc225443d870e54915e93033c0a0e3668e04	13 / 26	2026-01-31
0.0.0-e32b32e5.20260224-0706	13 / 26	2026-02-24
0.0.0-dfd5c99899261c54d5b19dceaa831fab310d6171	13 / 26	2026-01-28
0.0.0-de8bd982.20260205-1433	13 / 26	2026-02-05
0.0.0-c878a19a.20260205-0605	13 / 26	2026-02-05
0.0.0-c8731b7ca8cddc6c6902e84dbac920cd584d6458	13 / 26	2026-02-04
0.0.0-c73461a6e273ac5538a5d633d30d37e0afc1f56a	13 / 26	2026-01-30
0.0.0-c4fc6a94f8d46492352a7c1b416c35d9c603cb23	13 / 26	2026-01-31
0.0.0-bd0a60d54878156c05bcd110ac4351d7e40f6bd6	13 / 26	2026-02-03
0.0.0-b356849c.20260207-0631	13 / 26	2026-02-07
0.0.0-b19dc2a6.20260221-1545	13 / 26	2026-02-21
0.0.0-b1666489.20260220-0254	13 / 26	2026-02-20
0.0.0-ae9e260ac1617d0a3acea0ff37239f6ff1acf8c3	13 / 26	2026-01-31
0.0.0-ab0b0858cb619f270f5e0a698fea3d6f5622a761	12 / 25	2026-01-15
0.0.0-a9c652c5753d93f1945ac33b16422f345b518ae9	12 / 25	2026-01-15
0.0.0-9f9a209dd123932614c8b5a568375a002e34562b	12 / 26	2026-01-21
0.0.0-91760c610b90942004781cb282ea529bec781486	13 / 26	2026-01-31

Showing 100 of 118 Next page →

v0.1.21

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.20

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.19

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.18

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.17

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.16

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.15

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.14

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.10

8 findings

HIGH New obfuscated file: dist/chunks/acorn.B2iPLyUM.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/chunks/cac.CWGDZnXT.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/@vitest/browser/index-5Pe7X7sp.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index-5Pe7X7sp.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/@vitest/browser/client/__vitest__/assets/index-Di71CKDo.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/client/__vitest__/assets/index-Di71CKDo.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: dist/@vitest/mocker/chunk-automock.js source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.