← Home

@zuzjs/ui

npm Repository Homepage

ZuzJS UI Library

11
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

zuzpk

Keywords

reactzuzzuz.jszuz uizuzui

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/devtools.js AI (source-diff): ESM counterpart of devtools.cjs; same readable React bundle pattern. ai
source-diff obfuscated-file:dist/devtools.cjs AI (source-diff): Bundled devtools React component; samples show plain JSX and component definitions. ai
source-diff obfuscated-file:dist/bin.js AI (source-diff): Standard bundler minification; same CLI logic as bin.cjs, no obfuscation. ai
source-diff obfuscated-file:dist/index.cjs AI (source-diff): Standard rollup CJS bundle; sample shows readable React UI component definitions. ai
source-diff obfuscated-file:dist/bin.cjs AI (source-diff): Standard rollup bundle output; sample shows readable CLI/ts-morph code, not obfuscation. ai
source-diff obfuscated-file:dist/index.d.cts AI (source-diff): TypeScript declaration file with long lines; not obfuscated, just concatenated type exports. ai
source-diff obfuscated-file:dist/index.js AI (source-diff): Standard rollup ESM bundle; sample shows readable React UI component definitions. ai
source-diff obfuscated-file:dist/index.d.ts AI (source-diff): TypeScript declaration file with long lines; not obfuscated, just concatenated type exports. ai
phantom-deps phantom-dep:md5 AI (phantom-deps): Used transitively via @zuzjs/core; stable false positive for this package. ai
phantom-deps phantom-dep:moment AI (phantom-deps): Declared peer/optional dep; stable false positive for this package. ai
phantom-deps phantom-dep:nanoid AI (phantom-deps): Used via bundled internals; stable false positive for this package. ai
phantom-deps phantom-dep:js-cookie AI (phantom-deps): Declared dep used in bundled output; stable false positive for this package. ai
typosquat typosquat.levenshtein:pg AI (typosquat): Scoped React UI library; name similarity to pg is coincidental, not impersonation. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped React UI library; name similarity to joi is coincidental, not impersonation. ai
typosquat typosquat.levenshtein:yup AI (typosquat): Scoped React UI library; name similarity to yup is coincidental, not impersonation. ai
phantom-deps phantom-dep:sass AI (phantom-deps): Used in dev scripts for SCSS compilation; not directly imported in JS. ai
phantom-deps phantom-dep:react-dom AI (phantom-deps): Peer/runtime dep for React UI library; loaded by convention, not direct import. ai
phantom-deps phantom-dep:@types/md5 AI (phantom-deps): Type-only package; loaded by TypeScript convention, not direct import. ai
phantom-deps phantom-dep:@types/react AI (phantom-deps): Type-only package; loaded by TypeScript convention, not direct import. ai
phantom-deps phantom-dep:@types/react-dom AI (phantom-deps): Type-only package; loaded by TypeScript convention, not direct import. ai
typosquat typosquat.levenshtein:qs AI (typosquat): Scoped React UI library; name similarity to qs is coincidental, not impersonation. ai
typosquat typosquat.levenshtein:uuid AI (typosquat): Scoped React UI library; name similarity to uuid is coincidental, not impersonation. ai

Versions (showing 11 of 117)

Version Deps Published
0.10.9 12 / 0
0.10.8 12 / 0
0.10.6 16 / 0
0.10.5 16 / 0
0.10.4 16 / 0
0.10.3 16 / 0
0.10.2 16 / 0
0.10.1 16 / 3
0.10.0 16 / 3
0.9.82 16 / 3
0.9.8 16 / 3

v0.10.9

6 findings
HIGH New obfuscated file: dist/bin.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.8

6 findings
HIGH New obfuscated file: dist/bin.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/index.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.82

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.