vite-plugin-vue-devtools
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:client/assets/timeline-C70dHO3X.js | AI (source-diff): Minified timeline component bundle; legitimate devtools UI code. | ai | |
| source-diff | obfuscated-file:client/assets/pages-DooL8y43.js | AI (source-diff): Minified Vue router/pages bundle; legitimate devtools UI code. | ai | |
| source-diff | obfuscated-file:client/assets/settings-m2v-t2vR.js | AI (source-diff): Minified Vue settings component; legitimate devtools UI code. | ai | |
| source-diff | obfuscated-file:client/assets/assets-rxSrDlpI.js | AI (source-diff): Standard Vite-minified client bundle for devtools UI; content-hashed filename is expected pattern. | ai | |
| source-diff | obfuscated-file:client/assets/graph-wnRn8UNq.js | AI (source-diff): Minified vis-network library with license header; expected bundled dependency. | ai | |
| source-diff | net-exec-file:client/assets/graph-wnRn8UNq.js | AI (source-diff): vis-network bundle; network calls are browser DOM/fetch ops, not dropper behavior. | ai | |
| source-diff | obfuscated-file:client/assets/index-tvfuK4RW.js | AI (source-diff): Main Vite bundle entry; minification is expected for this devtools client package. | ai | |
| source-diff | net-exec-file:client/assets/index-tvfuK4RW.js | AI (source-diff): Vite modulepreload polyfill pattern; standard browser fetch for preloading, not malware. | ai | |
| source-diff | obfuscated-file:client/assets/overview-DZxAymiJ.js | AI (source-diff): Minified Vue component bundle; legitimate devtools UI code. | ai | |
| phantom-deps | phantom-dep:@vue/devtools-shared | AI (phantom-deps): Framework-scoped sibling package loaded by convention; stable false positive for this package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires on bundled Vue runtime code; Reflect.get() is standard Vue internals, not malicious obfuscation. | ai |
v8.1.2
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.