kissy
KISSY
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/meta.js | AI (source-diff): KISSY is a UI framework that ships minified build artifacts; long lines in build/ are standard minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/gregorian-calendar.js | AI (source-diff): Minified build artifact of KISSY's gregorian-calendar module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/gregorian-calendar-format.js | AI (source-diff): Minified build artifact of KISSY's gregorian-calendar-format module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/modulex.js | AI (source-diff): Minified build of the modulex module loader, a core KISSY component with MIT license header and 2014 build timestamp. | ai | |
| source-diff | net-exec-file:build/modulex-debug.js | AI (source-diff): modulex-debug.js is the debug build of KISSY's module loader; network+exec pattern is inherent to any AMD/CommonJS loader. | ai | |
| source-diff | net-exec-file:build/modulex.js | AI (source-diff): modulex.js is the minified module loader; network+exec pattern is inherent to any AMD/CommonJS loader, not malicious. | ai | |
| source-diff | obfuscated-file:build/navigation-view.js | AI (source-diff): Minified build artifact of KISSY's navigation-view module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/event-custom.js | AI (source-diff): Minified build artifact of KISSY's event-custom module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/editor.js | AI (source-diff): Minified build artifact of KISSY's editor module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/promise-standalone.js | AI (source-diff): Minified build artifact of KISSY's promise-standalone module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/query-selector-standalone.js | AI (source-diff): Minified build artifact of KISSY's query-selector-standalone module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/query-selector.js | AI (source-diff): Minified build artifact of KISSY's query-selector module; legitimate framework output. | ai | |
| source-diff | obfuscated-file:build/date-picker.js | AI (source-diff): Minified build artifact of KISSY's date-picker module; legitimate framework output. | ai | |
| source-diff | large-new-source-files | AI (source-diff): KISSY 5.0.0 is a major version of a comprehensive UI framework; 136 new build files is expected for a full framework release. | ai | |
| provenance | no-provenance | AI (provenance): KISSY is a long-established package (4944 days old); lack of Sigstore provenance is acceptable for this ecosystem-trusted package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 5.0.2 | 0 / 1 | |
| 5.0.1 | 0 / 1 | |
| 5.0.0 | 0 / 1 | |
| 1.4.8 | 4 / 3 | |
| 1.4.7 | 4 / 3 | |
| 1.4.4 | 4 / 3 | |
| 1.4.3 | 4 / 3 | |
| 1.4.2 | 4 / 3 | |
| 1.3.2 | 3 / 3 | |
| 1.3.1 | 3 / 3 | |
| 0.1.1 | 4 / 0 | |
| 0.1.0 | 4 / 0 |
v5.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
14 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
14 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.