← Home

vite-plus

npm Repository Homepage

The Unified Toolchain for the Web

6
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

boshenbroooooklyncpojerfengmk2vitebotyyx990803

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): Dist bundle chunks rotate filenames each build; stable for this package. ai
source-diff obfuscated-file:dist/wrap-ansi-k7Dn4VtV.js AI (source-diff): Bundled/minified dist output of well-known deps (emoji-regex, wrap-ansi); stable pattern. ai
source-diff obfuscated-file:dist/tsconfig-DlUVXT3J.js AI (source-diff): Bundled/minified dist output with clear provenance; stable pattern for this package. ai
source-diff obfuscated-file:dist/agent-D2ocSU01.js AI (source-diff): Standard bundled output with readable imports and region comments; not obfuscated. ai
source-diff obfuscated-file:dist/agent-BWLe0i9g.js AI (source-diff): Bundled dist output with readable imports and region comments; not obfuscated. ai
source-diff obfuscated-file:dist/strip-ansi-D-eYYcD2.js AI (source-diff): Bundled ansi-styles/strip-ansi code; long lines from minification, not obfuscation. ai
source-diff obfuscated-file:dist/wrap-ansi-DtUeUCjE.js AI (source-diff): Bundled emoji-regex/wrap-ansi code; long regex literals trigger false positive. ai
source-diff obfuscated-file:dist/agent-D_WSpD0r.js AI (source-diff): Minified build output for a CLI/build tool; readable imports, no obfuscation. ai
phantom-deps phantom-dep:oxlint-tsgolint AI (phantom-deps): Build tooling package; peer/config-only dependency references are expected and not a security risk. ai
source-diff obfuscated-file:dist/agent-BcSb6dt_.js AI (source-diff): File is a standard rollup/tsdown bundle with readable imports and third-party library code. Long lines are from minification, not obfuscation. SLSA provenance confirms CI/CD build integrity. ai
phantom-deps phantom-dep:@oxc-project/types AI (phantom-deps): Type-only or config-only reference in a build tooling package; not a security risk. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require of NAPI_RS_NATIVE_LIBRARY_PATH is the standard napi-rs pattern for loading platform-specific native bindings; stable for this package. ai
semgrep semgrep:child-process-execsync AI (semgrep): execSync('ldd --version') is used solely to detect musl libc for selecting the correct native binary; not a security risk in this context. ai
semgrep semgrep:child-process-import AI (semgrep): child_process usage is part of the napi-rs native binding loader pattern (detecting musl libc); standard and expected for native Node.js addons. ai

Versions (showing 6 of 6)

Show 96 prereleases
Version Deps Published
0.1.23 7 / 25
0.1.22 7 / 25
0.1.21 6 / 25
0.1.20 6 / 24
0.1.18 6 / 24
0.1.17 6 / 24

v0.1.23

3 findings
HIGH New obfuscated file: dist/tsconfig-DlUVXT3J.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/wrap-ansi-k7Dn4VtV.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.22

4 findings
HIGH New obfuscated file: dist/agent-BWLe0i9g.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/strip-ansi-D-eYYcD2.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/wrap-ansi-DtUeUCjE.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.21

2 findings
HIGH New obfuscated file: dist/agent-D2ocSU01.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.20

2 findings
HIGH New obfuscated file: dist/agent-D_WSpD0r.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.18

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.17

2 findings
HIGH New obfuscated file: dist/agent-BcSb6dt_.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.