segmentit
Chinese word segmentation 中文分词模块 with browser && electron support
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/module/COLORS.js | AI (source-diff): Long lines are a large Chinese color name data array (name/hex/RGB tuples), not obfuscated code. Consistent with a Chinese NLP/segmentation library's data files. | ai | |
| phantom-deps | phantom-dep:flow-typed | AI (phantom-deps): flow-typed is a dev tooling dependency mistakenly listed under dependencies; it is not imported at runtime and poses no security risk. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:flow-typed | AI (dependencies): flow-typed is a well-known Flow type definition tool; its presence as a runtime dep is a packaging mistake but not a security concern for this package. | ai | |
| source-diff | obfuscated-file:dist/cjs/segmentit.js | AI (source-diff): Large bundled file with embedded Chinese dictionary data (via preval.macro). Standard Babel/Rollup output; no malicious patterns. Long lines are dictionary data, not obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): preval.macro is a legitimate Babel build-time macro for inlining data; used to embed Chinese dictionary corpus. Not a runtime attack vector. | ai | |
| source-diff | obfuscated-file:dist/esm/segmentit.js | AI (source-diff): ESM build with same embedded dictionary corpus. Standard transpiled output; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/umd/segmentit.js | AI (source-diff): Minified UMD build via rollup-plugin-uglify. Standard minification for browser bundle; no malicious patterns visible. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 2.0.3 | 1 / 29 | |
| 2.0.2 | 1 / 29 | |
| 2.0.1 | 1 / 29 | |
| 2.0.0 | 1 / 29 | |
| 1.1.5 | 2 / 21 | |
| 1.1.4 | 2 / 24 | |
| 1.1.3 | 2 / 24 | |
| 1.1.2 | 2 / 24 | |
| 1.1.1 | 2 / 24 | |
| 1.1.0 | 2 / 24 | |
| 1.0.6 | 2 / 24 | |
| 1.0.5 | 2 / 24 | |
| 1.0.4 | 2 / 24 | |
| 1.0.3 | 2 / 24 | |
| 1.0.2 | 2 / 24 | |
| 1.0.1 | 2 / 24 | |
| 1.0.0 | 2 / 24 |
v2.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.