@ai-sdk/react No license 6 versions

@ai-sdk/react

npm Repository Homepage

6

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

vercel-release-botmatheussmatt.straka

Keywords

aireact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Vercel migrated from vercel-release-bot to GitHub Actions CI; SLSA attestation confirms legitimacy.	ai	2026/04/29
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers matheuss and matt.straka are Vercel employees; this is a documented internal transition. Publisher remains vercel-release-bot.	ai	2026/04/26
maintainer-change	maintainer-removed	AI (maintainer-change): jaredpalmer's removal reflects a known Vercel org transition; not indicative of takeover given vercel-release-bot remains the publisher.	ai	2026/04/26
publish-pattern	dormant-publish	AI (publish-pattern): Apparent dormancy is an artifact of the large version gap (v1.1.8 to v3.0.141) between last approved and current. Package has 850 versions and 5.2M weekly downloads — continuously active.	ai	2026/04/26
publish-pattern	new-deps-added	AI (publish-pattern): New dep 'ai' is the core Vercel AI SDK package replacing @ai-sdk/ui-utils; a legitimate architectural consolidation within the same trusted org.	ai	2026/04/26
provenance	no-provenance	AI (provenance): vercel-release-bot is a well-established publisher with 4383 approved packages; lack of Sigstore provenance is not a meaningful risk signal for this publisher.	ai	2026/04/25

Versions (showing 6 of 306)

Version	Deps	Published
2.0.84	4 / 15	2025-10-31
2.0.83	4 / 15	2025-10-31
2.0.82	4 / 15	2025-10-29
2.0.81	4 / 15	2025-10-27
2.0.80	4 / 15	2025-10-26
1.1.8	4 / 15	2025-01-31

v2.0.84

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.83

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.82

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.81

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.80

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.