yui
YUI 3 Source
0
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
davglassericfreidclarleezequieltripp
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:datatable-paginator/datatable-paginator-min.js | AI (source-diff): Standard YUI minified build artifact (-min.js); minification is expected and documented for YUI modules. | ai | |
| source-diff | obfuscated-file:paginator/paginator-coverage.js | AI (source-diff): Istanbul code coverage instrumentation file; long lines are JSON-serialized coverage metadata. Standard YUI build artifact. | ai | |
| source-diff | obfuscated-file:datatable-paginator/datatable-paginator-coverage.js | AI (source-diff): Istanbul code coverage instrumentation files; long lines are JSON-serialized coverage metadata, not malicious obfuscation. Standard YUI build artifact. | ai | |
| source-diff | obfuscated-file:datatable-formatters/datatable-formatters-coverage.js | AI (source-diff): Istanbul code coverage instrumentation files; long lines are JSON-serialized coverage metadata, not malicious obfuscation. Standard YUI build artifact. | ai | |
| source-diff | obfuscated-file:datatable-foot/datatable-foot-coverage.js | AI (source-diff): Istanbul code coverage instrumentation files; long lines are JSON-serialized coverage metadata, not malicious obfuscation. Standard YUI build artifact. | ai | |
| source-diff | obfuscated-file:color-harmony/color-harmony-min.js | AI (source-diff): YUI minified build files are standard build artifacts. The minified code is transparently the color-harmony module. Not obfuscation. | ai | |
| source-diff | obfuscated-file:color-harmony/color-harmony-coverage.js | AI (source-diff): YUI coverage instrumentation files are standard build artifacts with transparent YUI module code and BSD license headers. Not obfuscation. | ai | |
| source-diff | obfuscated-file:color-hsl/color-hsl-coverage.js | AI (source-diff): YUI coverage instrumentation files are standard build artifacts with transparent YUI module code and BSD license headers. Not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): YUI is a large framework; new minor/pre-release versions routinely add many new module files. 187 new files for 3.8.0pr1 is consistent with adding new color and animation modules. | ai | |
| source-diff | obfuscated-file:anim-shape/anim-shape-coverage.js | AI (source-diff): YUI coverage instrumentation files are standard build artifacts with transparent YUI module code and BSD license headers. Not obfuscation. | ai | |
| source-diff | obfuscated-file:color-base/color-base-coverage.js | AI (source-diff): YUI coverage instrumentation files are standard build artifacts with transparent YUI module code and BSD license headers. Not obfuscation. | ai | |
| source-diff | obfuscated-file:axis-numeric-base/axis-numeric-base-min.js | AI (source-diff): Standard minified YUI build output with Yahoo copyright header; legitimate chart axis code. | ai | |
| source-diff | obfuscated-file:base-observable/base-observable-coverage.js | AI (source-diff): YUI coverage instrumentation file — standard build artifact with long lines from embedded source string arrays. | ai | |
| source-diff | obfuscated-file:axis-time-base/axis-time-base-coverage.js | AI (source-diff): YUI coverage instrumentation file — standard build artifact with long lines from embedded source string arrays. | ai | |
| source-diff | obfuscated-file:axis-stacked-base/axis-stacked-base-coverage.js | AI (source-diff): YUI coverage instrumentation file — standard build artifact with long lines from embedded source string arrays. | ai | |
| source-diff | obfuscated-file:axis-numeric-base/axis-numeric-base-coverage.js | AI (source-diff): YUI coverage files embed source as string arrays causing long lines — standard YUI build artifact, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:treeview/treeview-min.js | AI (source-diff): Standard YUI minified build artifact with Yahoo copyright header and normal YUI Widget/Node patterns. Minified files are expected build outputs for this framework. | ai | |
| source-diff | obfuscated-file:datatable-table/datatable-table-min.js | AI (source-diff): Standard YUI minified build artifact with Yahoo copyright header and normal YUI.add() module pattern. Minified files are expected build outputs for this framework. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): YUI is a well-established Yahoo JavaScript framework. 'yui' is not a typosquat of 'joi'. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): YUI is a well-established Yahoo JavaScript framework predating 'yup' by many years. Not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): YUI is a well-established Yahoo JavaScript framework. 'yui' is not a typosquat of 'uuid'. | ai | |
| source-diff | obfuscated-file:node-scroll-info/node-scroll-info-coverage.js | AI (source-diff): YUI standard test coverage instrumentation file generated by the YUI build system. Long lines are JSON-encoded source arrays, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node-scroll-info/node-scroll-info-min.js | AI (source-diff): Standard YUI minified build artifact (-min.js convention). Content is clearly minified ScrollInfo plugin code, consistent with YUI's documented build pipeline. | ai | |
| source-diff | obfuscated-file:event-tap/event-tap-coverage.js | AI (source-diff): YUI standard test coverage instrumentation file generated by the YUI build system. Long lines are JSON-encoded source arrays, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:datatable-keynav/datatable-keynav-min.js | AI (source-diff): Standard YUI minified module following YUI.add() pattern. Minification is expected in YUI's build process; content is clearly keyboard navigation logic. | ai | |
| source-diff | obfuscated-file:datatable-keynav/datatable-keynav-coverage.js | AI (source-diff): Istanbul/NYC code coverage instrumentation file — dense JSON structure triggers long-line heuristic but is not obfuscated or malicious. Standard YUI build artifact. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer addition of ezequiel is a decade-old historical change with a well-established track record. Not a current risk signal for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from clarle to ezequiel occurred in 2014; ezequiel has a strong track record (48 approved packages). This is a long-established, stable transition for this package. | ai | |
| source-diff | obfuscated-file:button-base/button-base-min.js | AI (source-diff): Standard YUI minified library file with Yahoo copyright header and build number. Not malicious obfuscation — this is the expected distribution format for YUI. | ai | |
| source-diff | obfuscated-file:datatable-sort-deprecated/datatable-sort-deprecated-min.js | AI (source-diff): Standard YUI minified library file with Yahoo copyright header and build number. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:datatable-scroll-deprecated/datatable-scroll-deprecated-min.js | AI (source-diff): Standard YUI minified library file with Yahoo copyright header and build number. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:datatable-base-deprecated/datatable-base-deprecated-min.js | AI (source-diff): Standard YUI minified library file with Yahoo copyright header and build number. Not malicious obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in coverage instrumentation files; standard pattern in YUI's build artifacts, not a security risk for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in template-micro is standard template engine compilation in YUI. Intentional and documented behavior, stable across all versions. | ai | |
| license | uncommon-license:BSD | AI (license): YUI has always used the BSD license; it is a well-known permissive open-source license. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in json-parse-shim is a well-documented JSON parsing shim pattern in YUI, not a supply-chain risk. Stable across all YUI versions. | ai |
Versions (showing 0 of 0)
| Version | Deps | Published |
|---|