react-grab
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/renderer-puf6Gpb_.cjs | AI (source-diff): Minified CJS renderer with canvas overlay logic; expected UI code. | ai | |
| source-diff | obfuscated-file:dist/freeze-updates-ChIziz9m.cjs | AI (source-diff): Minified CJS utility module; no suspicious code patterns. | ai | |
| source-diff | obfuscated-file:dist/action-shortcuts-BztPIKdU.cjs | AI (source-diff): Standard minified build output from Vite bundler; no suspicious payloads. | ai | |
| source-diff | obfuscated-file:dist/core-Cd7_ihg6.cjs | AI (source-diff): Minified CJS bundle with Tailwind CSS; expected for this package. | ai | |
| source-diff | obfuscated-file:dist/copy-content-Hsz6ztMp.cjs | AI (source-diff): Standard minified build output from Vite bundler; no suspicious payloads. | ai | |
| source-diff | obfuscated-file:dist/renderer-EopTET-v.js | AI (source-diff): Minified ESM renderer module; expected UI rendering code. | ai | |
| source-diff | obfuscated-file:dist/freeze-updates-CySb0enj.js | AI (source-diff): Minified ESM utility module; no suspicious patterns. | ai | |
| source-diff | obfuscated-file:dist/core-DWIh9fJK.js | AI (source-diff): Minified ESM core bundle with Tailwind CSS; expected. | ai | |
| source-diff | obfuscated-file:dist/copy-content-f6wWC1g-.js | AI (source-diff): Minified ESM build output; CSS selector utilities. | ai | |
| source-diff | obfuscated-file:dist/action-shortcuts-nFfkkwpP.js | AI (source-diff): Minified ESM build output; SolidJS reactivity primitives. | ai | |
| source-diff | obfuscated-file:dist/core-CBUFmwfx.cjs | AI (source-diff): Minified build output; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/core-Bs0wekHY.cjs | AI (source-diff): Minified build output; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/core-Dq-CCsij.cjs | AI (source-diff): Minified build output; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/core-ESHKG2mL.cjs | AI (source-diff): Minified build output; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/core-B3ndcALq.cjs | AI (source-diff): Minified build output with Tailwind CSS; standard bundler artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/freeze-updates-DIgqzJcF.js | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| source-diff | obfuscated-file:dist/renderer-DGn1QbMT.js | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from personal account to GitHub Actions CI/CD; SLSA provenance confirms legitimacy. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Expected from switching to bundled dist output format. | ai | |
| source-diff | obfuscated-file:dist/core-Bd0AYFSu.cjs | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| source-diff | obfuscated-file:dist/action-shortcuts-C3Lo_oVg.cjs | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| source-diff | obfuscated-file:dist/freeze-updates-B0BCqj6P.cjs | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| source-diff | obfuscated-file:dist/renderer-Brml15NI.cjs | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| source-diff | obfuscated-file:dist/action-shortcuts-C5Ye19VB.js | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| source-diff | obfuscated-file:dist/core-ObBy_feX.js | AI (source-diff): Minified Vite bundle output with MIT header; standard for this package's dist build. | ai | |
| source-diff | obfuscated-file:dist/core-2kA4yIHB.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-_Ut8nVXD.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-_XahIp30.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-0Pffrd0M.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-0sNUYnh0.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-0VmUn5X3.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-1G9v1bua.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/core-1GWqxAHe.cjs | AI (source-diff): Bundled dist output with inlined Tailwind CSS, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@react-grab/cli | AI (phantom-deps): Companion CLI package by the same author; declared as bin dependency. | ai | |
| phantom-deps | phantom-dep:bippy | AI (phantom-deps): bippy is the author's own lib; likely imported in dist bundles not scanned by phantom-dep heuristic. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): solid-js is an established framework; addition is consistent with the package's documented Solid.js integration. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Inlined Tailwind CSS and multiple framework entry points explain the size increase. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Multi-framework dist build with CJS+ESM chunks; expected for this package. | ai | |
| source-diff | obfuscated-file:dist/react.cjs | AI (source-diff): Standard tsup/esbuild bundle output with readable structure and MIT license header; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/react.js | AI (source-diff): Standard tsup/esbuild bundle output with readable structure and MIT license header; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:solid-js | AI (phantom-deps): solid-js is a declared runtime dependency; used in UI components compiled via babel-preset-solid. | ai | |
| source-diff | obfuscated-file:dist/cli.cjs | AI (source-diff): Minified CLI bundle output from tsup; matches bin entry in package.json; no obfuscation, just standard bundler minification. | ai | |
| phantom-deps | phantom-dep:modern-screenshot | AI (phantom-deps): modern-screenshot is a legitimate library; phantom-dep reflects config-level usage pattern stable across versions. | ai | |
| phantom-deps | phantom-dep:solid-sonner | AI (phantom-deps): solid-sonner is a legitimate SolidJS library; phantom-dep likely reflects indirect/config-level usage pattern for this package. | ai |
Versions (showing 26 of 127)
| Version | Deps | Published |
|---|---|---|
| 0.0.29 | 2 / 9 | |
| 0.0.28 | 2 / 9 | |
| 0.0.27 | 2 / 9 | |
| 0.0.26 | 2 / 9 | |
| 0.0.25 | 2 / 9 | |
| 0.0.24 | 2 / 9 | |
| 0.0.23 | 2 / 9 | |
| 0.0.21 | 1 / 5 | |
| 0.0.20 | 1 / 6 | |
| 0.0.19 | 1 / 6 | |
| 0.0.18 | 1 / 6 | |
| 0.0.17 | 1 / 6 | |
| 0.0.16 | 1 / 6 | |
| 0.0.15 | 1 / 6 | |
| 0.0.14 | 1 / 6 | |
| 0.0.13 | 1 / 6 | |
| 0.0.12 | 1 / 6 | |
| 0.0.11 | 1 / 6 | |
| 0.0.9 | 1 / 6 | |
| 0.0.7 | 1 / 7 | |
| 0.0.6 | 1 / 7 | |
| 0.0.5 | 1 / 7 | |
| 0.0.4 | 1 / 7 | |
| 0.0.3 | 1 / 7 | |
| 0.0.2 | 1 / 7 | |
| 0.0.1 | 1 / 7 |
v0.0.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.