loro-crdt
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:base64/loro_wasm_bg-ec172175.js | AI (source-diff): Base64-encoded WASM binary loader; standard wasm-bindgen/wasm-pack build artifact for this package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-ca748f92.js | AI (source-diff): Base64-encoded WASM module loader; standard wasm-bindgen output pattern for this package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-a708ca02.js | AI (source-diff): Base64-encoded WASM binary loader; standard pattern for this package's wasm-bindgen build output. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-ce6cdb00.js | AI (source-diff): Base64-encoded WASM module loader; long lines are the encoded binary blob, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-654bb6e4.js | AI (source-diff): Large base64-encoded WASM binary loader; standard pattern for this WASM-based CRDT package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-3774fc0f.js | AI (source-diff): WASM binary embedded as base64 in a loader file; standard pattern for this package's build output. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-2aa08ebf.js | AI (source-diff): Base64-encoded WASM module loader; standard pattern for this package's inline WASM distribution. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-4c5f8b02.js | AI (source-diff): Base64-encoded WASM bundle is the documented build artifact for this package; long lines are expected. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-6c4ca318.js | AI (source-diff): Base64-encoded WASM binary loader; standard pattern for this WASM-based CRDT package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-512df4ec.js | AI (source-diff): Base64-encoded WASM binary loader; standard wasm-pack/wasm-bindgen output for this package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-467afd22.js | AI (source-diff): Base64-encoded WASM binary loader; standard pattern for this WASM-based CRDT package across versions. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-9c95de7e.js | AI (source-diff): Base64-encoded WASM binary loader; standard wasm-bindgen output, not obfuscation. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-afebbb87.js | AI (source-diff): Long-line file is a base64-encoded wasm binary loader; standard wasm-bindgen output, not obfuscation. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-a4a986e3.js | AI (source-diff): Base64-encoded WASM binary with standard loader; expected pattern for wasm-bindgen packages. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-8058cd67.js | AI (source-diff): Base64-encoded WASM binary loader; standard wasm-bindgen output pattern for this package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-90680301.js | AI (source-diff): Base64-encoded WASM binary loader; standard wasm-bindgen output for this WASM/CRDT package. | ai | |
| source-diff | obfuscated-file:base64/loro_wasm_bg-f48ca64a.js | AI (source-diff): Base64-encoded WASM binary loader; standard pattern for this WASM-based CRDT package. | ai | |
| source-diff | encoded-string-file:base64/index.js | AI (source-diff): The long base64 string is the embedded WebAssembly binary for the Rust CRDT engine — standard practice for wasm-pack/wasm-bindgen packages that bundle the WASM binary as base64. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): fetch() is used to load the WASM binary via WebAssembly.instantiateStreaming() — standard WASM module loading pattern in loro-crdt's bundler glue code, not telemetry or exfiltration. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in wasm-bindgen generated code is a known pattern for creating JS functions from WASM memory; not arbitrary code execution risk in this context. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() is standard wasm-bindgen generated glue code for bridging JS and WASM objects; not obfuscation. Stable pattern across all loro-crdt versions. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 1.12.1 | 0 / 22 | |
| 1.12.0 | 0 / 22 | |
| 1.11.1 | 0 / 22 | |
| 1.11.0 | 0 / 22 | |
| 1.10.8 | 0 / 22 | |
| 1.10.7 | 0 / 22 | |
| 1.10.6 | 0 / 22 | |
| 1.10.5 | 0 / 22 | |
| 1.10.4 | 0 / 22 | |
| 1.10.3 | 0 / 22 | |
| 1.10.2 | 0 / 22 | |
| 1.10.1 | 0 / 22 | |
| 1.10.0 | 0 / 22 | |
| 1.9.0 | 0 / 22 | |
| 1.8.9 | 0 / 23 | |
| 1.8.8 | 0 / 23 | |
| 1.8.7 | 0 / 23 | |
| 1.8.6 | 0 / 23 | |
| 1.8.5 | 0 / 23 | |
| 1.8.4 | 0 / 23 | |
| 1.8.3 | 0 / 23 | |
| 1.8.2 | 0 / 23 | |
| 1.8.1 | 0 / 23 | |
| 1.8.0 | 0 / 23 | |
| 1.7.3 | 0 / 23 | |
| 1.7.2 | 0 / 23 | |
| 1.7.1 | 0 / 23 | |
| 1.7.0 | 0 / 23 | |
| 1.6.0 | 0 / 23 | |
| 1.5.13 | 0 / 23 | |
| 1.5.12 | 0 / 23 | |
| 1.5.11 | 0 / 23 | |
| 1.5.10 | 0 / 23 | |
| 1.5.9 | 0 / 23 | |
| 1.5.8 | 0 / 23 | |
| 1.5.7 | 0 / 23 | |
| 1.5.6 | 0 / 23 | |
| 1.5.5 | 0 / 20 |
v1.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.8
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.7
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.6
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.5
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.4
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.3
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.2
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.13
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.12
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.11
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.10
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.