hotkeys-js
A simple micro-library for defining and dispatching keyboard shortcuts. It has no dependencies.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:doc/assets/index-Ch2biG9H.js | AI (source-diff): Vite-bundled documentation asset (React+markdown); not part of runtime. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:doc/lcov-report/prettify.js | AI (source-diff): Google code-prettify from Istanbul lcov HTML report; standard coverage tooling artifact. | ai | |
| source-diff | net-exec-file:doc/assets/index-D-JlFIiP.js | AI (source-diff): fetch() is modulepreload polyfill in Vite bundle; doc asset, not runtime code. No malicious network/exec pattern. | ai | |
| source-diff | obfuscated-file:doc/assets/index-D-JlFIiP.js | AI (source-diff): Vite-bundled React documentation site asset under doc/; not a runtime file. Standard build output pattern. | ai | |
| source-diff | obfuscated-file:doc/assets/index-CEa7LRUR.js | AI (source-diff): Vite-bundled documentation site asset under doc/; contains React runtime and standard browser code. Not referenced by any package entry point. | ai | |
| source-diff | net-exec-file:doc/assets/index-CEa7LRUR.js | AI (source-diff): Browser-side modulepreload fetch in documentation bundle. Standard Vite output pattern, not server-side network/exec. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from manual publishing (wcjiang) to GitHub Actions CI/CD, confirmed by SLSA provenance attestation. Same maintainer. | ai | |
| source-diff | obfuscated-file:doc/static/js/138.39666e62.chunk.js | AI (source-diff): Webpack-bundled documentation chunk (Gherkin grammar); benign minified build output. | ai | |
| source-diff | obfuscated-file:doc/static/js/0.81be4b42.chunk.js | AI (source-diff): Webpack-bundled Prism.js syntax highlighting chunks in doc/ folder; not obfuscated malicious code. | ai | |
| source-diff | obfuscated-file:doc/static/js/1.f35e8e9c.chunk.js | AI (source-diff): Webpack-bundled Prism.js syntax highlighting chunks in doc/ folder; not obfuscated malicious code. | ai | |
| source-diff | obfuscated-file:doc/static/js/120.9d7092f1.chunk.js | AI (source-diff): Webpack-bundled documentation chunk (Prism language grammars); benign minified build output. | ai | |
| source-diff | obfuscated-file:doc/static/js/121.79783e7b.chunk.js | AI (source-diff): Webpack-bundled documentation chunk (Prism language grammars); benign minified build output. | ai | |
| source-diff | obfuscated-file:doc/static/js/139.892e850c.chunk.js | AI (source-diff): Webpack-bundled documentation chunk (Gherkin grammar); benign minified build output. | ai | |
| source-diff | obfuscated-file:doc/static/js/14.93fca78b.chunk.js | AI (source-diff): Webpack-bundled documentation chunk (Apache config grammar); benign minified build output. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are all doc/ build artifacts (webpack chunks, source maps); package ships built documentation site. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is from bundled documentation site under doc/; no change to library runtime code. | ai | |
| source-diff | obfuscated-file:doc/assets/markdown-vendor.js | AI (source-diff): Vite-bundled vendor chunk for markdown rendering (unified/remark). Documentation asset, not runtime code. | ai | |
| source-diff | obfuscated-file:doc/assets/uiw-components.js | AI (source-diff): Vite-bundled React + uiw components vendor chunk for documentation site. Not runtime code. | ai | |
| source-diff | obfuscated-file:doc/assets/theme-vendor.js | AI (source-diff): Bundled @wcj/dark-mode component (same author) for docs site dark mode toggle. | ai | |
| source-diff | obfuscated-file:doc/assets/react-vendor.js | AI (source-diff): Vite-bundled React DOM vendor chunk for documentation site. Not runtime library code. | ai | |
| source-diff | obfuscated-file:doc/assets/index-BzXXzRfA.js | AI (source-diff): Vite-bundled documentation site asset containing React scheduler and modulepreload polyfill. Not runtime library code. | ai | |
| source-diff | net-exec-file:doc/assets/markdown-vendor.js | AI (source-diff): False positive: fetch for modulepreload + standard JS patterns in bundled markdown lib. Doc asset only. | ai | |
| source-diff | obfuscated-file:doc/static/js/main.c7223b07.chunk.js | AI (source-diff): Webpack-bundled documentation site asset under doc/static/js/; standard build output from kkt, not obfuscated malicious code. Pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:doc/assets/index-BDFq7g16.js | AI (source-diff): Bundled Vite documentation site asset under doc/assets/; standard minified React app, not consumed as library code. Stable for this package. | ai |
Versions (showing 51 of 114)
| Version | Deps | Published |
|---|---|---|
| 4.0.4 | 0 / 0 | |
| 4.0.3 | 0 / 0 | |
| 4.0.2 | 0 / 0 | |
| 4.0.1 | 0 / 0 | |
| 4.0.0 | 0 / 0 | |
| 3.13.15 | 0 / 0 | |
| 3.13.14 | 0 / 0 | |
| 3.13.13 | 0 / 0 | |
| 3.13.12 | 0 / 0 | |
| 3.13.11 | 0 / 0 | |
| 3.13.10 | 0 / 0 | |
| 3.13.9 | 0 / 0 | |
| 3.13.8 | 0 / 0 | |
| 3.13.7 | 0 / 0 | |
| 3.13.6 | 0 / 0 | |
| 3.13.5 | 0 / 0 | |
| 3.13.4 | 0 / 0 | |
| 3.13.3 | 0 / 0 | |
| 3.13.2 | 0 / 0 | |
| 3.13.1 | 0 / 0 | |
| 3.13.0 | 0 / 0 | |
| 3.12.2 | 0 / 0 | |
| 3.12.1 | 0 / 0 | |
| 3.12.0 | 0 / 0 | |
| 3.11.2 | 0 / 31 | |
| 3.11.1 | 0 / 31 | |
| 3.11.0 | 0 / 31 | |
| 3.10.4 | 0 / 31 | |
| 3.10.3 | 0 / 31 | |
| 3.10.2 | 0 / 31 | |
| 3.10.1 | 0 / 31 | |
| 3.10.0 | 0 / 31 | |
| 3.9.5 | 0 / 31 | |
| 3.9.4 | 0 / 31 | |
| 3.9.3 | 0 / 31 | |
| 3.9.2 | 0 / 31 | |
| 3.9.1 | 0 / 31 | |
| 3.9.0 | 0 / 31 | |
| 3.8.9 | 0 / 31 | |
| 3.8.8 | 0 / 30 | |
| 3.8.7 | 0 / 30 | |
| 3.8.6 | 1 / 30 | |
| 3.8.5 | 0 / 30 | |
| 3.8.4 | 0 / 30 | |
| 3.8.3 | 0 / 30 | |
| 3.8.2 | 0 / 31 | |
| 3.8.1 | 0 / 31 | |
| 3.8.0 | 0 / 31 | |
| 3.7.6 | 0 / 36 | |
| 3.7.5 | 0 / 36 | |
| 3.7.4 | 0 / 36 |
v4.0.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.2
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.0
4 findingsThis version was published by a different npm account than previous versions on 2025-12-22. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.2
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.