All vite-plugin-inspect versions
vite-plugin-inspect @11.4.1
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
85
Risk Score
MIT
License
No
Install Scripts
9
Dependencies
43
Dev Dependencies
868.2 KB
Package Size
Published
Inspect the intermediate state of Vite plugins
Maintainers
antfusxzz
Keywords
vite-plugin
Dependencies (9)
| Package | Constraint | Registry Status |
|---|---|---|
| obug | ^2.1.1 | auto_approved |
| open | ^11.0.0 | No greenflagged match |
| sirv | ^3.0.2 | auto_approved |
| ansis | ^4.3.0 | auto_approved |
| ohash | ^2.0.11 | auto_approved |
| vite-dev-rpc | ^2.0.0 | auto_approved |
| unplugin-utils | ^0.3.1 | auto_approved |
| perfect-debounce | ^2.1.0 | auto_approved |
| error-stack-parser-es | ^1.0.5 | auto_approved |
Dev Dependencies (43)
| Package | Constraint | Registry Status |
|---|---|---|
| vue | ^3.5.35 | auto_approved |
| vite | ^8.0.14 | auto_approved |
| bumpp | ^11.1.0 | auto_approved |
| pathe | ^2.0.3 | auto_approved |
| pinia | ^3.0.4 | auto_approved |
| eslint | ^10.4.0 | auto_approved |
| unocss | ^66.7.0 | auto_approved |
| comlink | ^4.4.2 | auto_approved |
| echarts | ^6.1.0 | auto_approved |
| fuse.js | ^7.3.0 | auto_approved |
| premove | ^4.0.0 | auto_approved |
| unbuild | ^3.6.1 | auto_approved |
| vue-tsc | ^3.3.2 | auto_approved |
| vis-data | ^8.0.4 | auto_approved |
| @antfu/ni | ^30.1.0 | auto_approved |
| @nuxt/kit | ^4.4.6 | No greenflagged match |
| codemirror | ^5.65.16 | auto_approved |
| splitpanes | ^4.1.2 | auto_approved |
| typescript | ^6.0.3 | auto_approved |
| vue-router | ^5.1.0 | auto_approved |
| @types/node | ^25.9.1 | auto_approved |
| lint-staged | ^17.0.5 | auto_approved |
| vis-network | ^10.1.0 | auto_approved |
| vue-echarts | ^8.0.1 | auto_approved |
| @antfu/utils | ^9.3.0 | auto_approved |
| @vueuse/core | ^14.3.0 | auto_approved |
| floating-vue | ^5.2.2 | auto_approved |
| @iconify/json | ^2.2.480 | No greenflagged match |
| @unocss/reset | ^66.7.0 | auto_approved |
| @vueuse/router | ^14.3.0 | auto_approved |
| vite-hot-client | ^2.2.0 | auto_approved |
| simple-git-hooks | ^2.13.1 | auto_approved |
| @types/codemirror | ^5.60.17 | auto_approved |
| @vue/compiler-sfc | ^3.5.35 | No greenflagged match |
| @vitejs/plugin-vue | ^6.0.7 | auto_approved |
| diff-match-patch-es | ^1.0.1 | auto_approved |
| unplugin-vue-router | ^0.17.0 | No greenflagged match |
| @antfu/eslint-config | ^9.0.0 | auto_approved |
| unplugin-auto-import | ^21.0.0 | auto_approved |
| @unocss/eslint-config | ^66.7.0 | auto_approved |
| @unocss/eslint-plugin | ^66.7.0 | auto_approved |
| codemirror-theme-vars | ^0.1.2 | auto_approved |
| unplugin-vue-components | ^32.1.0 | auto_approved |
Transitive Dependency Tree
16 transitive deps
max depth 2
├─
ansis
^4.3.0
→ 4.3.1
├─
error-stack-parser-es
^1.0.5
→ 1.0.5
├─
obug
^2.1.1
→ 2.1.1
├─
ohash
^2.0.11
→ 2.0.11
├─
open
^11.0.0
├─
perfect-debounce
^2.1.0
→ 2.1.0
├─
sirv
^3.0.2
→ 3.0.2
├─
unplugin-utils
^0.3.1
→ 0.3.1
├─
vite-dev-rpc
^2.0.0
→ 2.0.0
├─
@polka/url
^1.0.0-next.24
├─
birpc
^4.0.0
→ 4.0.0
├─
mrmime
^2.0.0
→ 2.0.1
├─
pathe
^2.0.3
→ 2.0.3
├─
picomatch
^4.0.3
→ 4.0.4
├─
totalist
^3.0.0
├─
vite-hot-client
^2.2.0
→ 2.2.0
Changes from v11.3.3
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | obug | ^2.1.1 |
| removed | debug | ^4.4.1 |
| changed | open | ^10.2.0 → ^11.0.0 |
| changed | sirv | ^3.0.1 → ^3.0.2 |
| changed | ansis | ^4.1.0 → ^4.3.0 |
| changed | vite-dev-rpc | ^1.1.0 → ^2.0.0 |
| changed | unplugin-utils | ^0.3.0 → ^0.3.1 |
| changed | perfect-debounce | ^2.0.0 → ^2.1.0 |
File Changes
16 added
23 removed
5 modified
size delta: +152.0 KB
SAST Findings (4)
HIGH
Publisher changed: antfu → GitHub Actions (on 2026-05-29)
provenance
This version was published by a different npm account than previous versions on 2026-05-29. This could indicate a legitimate maintainer transition or an account compromise.
HIGH
New file with network + code execution: dist/client/assets/module-CdxQsEe1.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
HIGH
New file with network + code execution: dist/client/assets/pages-DdhL9w1X.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 85. Findings: 3 high (+75), 1 medium (+10), 2 info (+0).
Published to npm: