vite-plus
The Unified Toolchain for the Web
2
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
boshenbroooooklyncpojerfengmk2vitebotyyx990803
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Dist bundle chunks rotate filenames each build; stable for this package. | ai | |
| source-diff | obfuscated-file:dist/wrap-ansi-k7Dn4VtV.js | AI (source-diff): Bundled/minified dist output of well-known deps (emoji-regex, wrap-ansi); stable pattern. | ai | |
| source-diff | obfuscated-file:dist/tsconfig-DlUVXT3J.js | AI (source-diff): Bundled/minified dist output with clear provenance; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/agent-D2ocSU01.js | AI (source-diff): Standard bundled output with readable imports and region comments; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/agent-BWLe0i9g.js | AI (source-diff): Bundled dist output with readable imports and region comments; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/strip-ansi-D-eYYcD2.js | AI (source-diff): Bundled ansi-styles/strip-ansi code; long lines from minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/wrap-ansi-DtUeUCjE.js | AI (source-diff): Bundled emoji-regex/wrap-ansi code; long regex literals trigger false positive. | ai | |
| source-diff | obfuscated-file:dist/agent-D_WSpD0r.js | AI (source-diff): Minified build output for a CLI/build tool; readable imports, no obfuscation. | ai | |
| phantom-deps | phantom-dep:oxlint-tsgolint | AI (phantom-deps): Build tooling package; peer/config-only dependency references are expected and not a security risk. | ai | |
| source-diff | obfuscated-file:dist/agent-BcSb6dt_.js | AI (source-diff): File is a standard rollup/tsdown bundle with readable imports and third-party library code. Long lines are from minification, not obfuscation. SLSA provenance confirms CI/CD build integrity. | ai | |
| phantom-deps | phantom-dep:@oxc-project/types | AI (phantom-deps): Type-only or config-only reference in a build tooling package; not a security risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require of NAPI_RS_NATIVE_LIBRARY_PATH is the standard napi-rs pattern for loading platform-specific native bindings; stable for this package. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('ldd --version') is used solely to detect musl libc for selecting the correct native binary; not a security risk in this context. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is part of the napi-rs native binding loader pattern (detecting musl libc); standard and expected for native Node.js addons. | ai |
Versions (showing 2 of 102)
| Version | Deps | Published |
|---|---|---|
| 0.0.0-16aec32c4c6c33501bb58784baab9de3ce44c0c4 | 7 / 7 | |
| 0.0.0-0bfcc90f.20260209-0731 | 7 / 7 |