@ant-design/icons — Greenflagged

[![NPM version](https://img.shields.io/npm/v/@ant-design/icons.svg?style=flat)](https://npmjs.org/package/@ant-design/icons) [![NPM downloads](http://img.shields.io/npm/dm/@ant-design/icons.svg?style=flat)](https://npmjs.org/package/@ant-design/icons)

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

afc163zombiejchenshuai2144arvinxxmadccc

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:es/icons/AmazonCircleFilled.d.ts	AI (source-diff): Base64 data URIs in JSDoc comments are SVG icon previews for IDE hover — standard pattern in icon libraries, not obfuscation.	ai	2026/04/27
source-diff	obfuscated-file:es/icons/AmazonSquareFilled.d.ts	AI (source-diff): Base64 data URIs in JSDoc comments are SVG icon previews for IDE hover — standard pattern in icon libraries, not obfuscation.	ai	2026/04/27
source-diff	obfuscated-file:es/icons/AmazonOutlined.d.ts	AI (source-diff): Base64 data URIs in JSDoc comments are SVG icon previews for IDE hover — standard pattern in icon libraries, not obfuscation.	ai	2026/04/27
source-diff	obfuscated-file:dist/icons/HolderOutlined.d.ts	AI (source-diff): TypeScript declaration files with complex React prop type unions naturally produce long single-line definitions; not obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:lib/icons/HolderOutlined.d.ts	AI (source-diff): TypeScript .d.ts files with long Pick union types are normal for React component libraries; not obfuscation.	ai	2026/04/21
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): Babel runtime is a framework convention for transpiled packages; stable for this package.	ai	2026/04/21
source-diff	obfuscated-file:es/icons/BilibiliOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
source-diff	obfuscated-file:lib/icons/KubernetesOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
source-diff	obfuscated-file:es/icons/LinuxOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
source-diff	obfuscated-file:lib/icons/LinuxOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
source-diff	obfuscated-file:lib/icons/BilibiliOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
source-diff	obfuscated-file:es/icons/DiscordOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
source-diff	obfuscated-file:lib/icons/DiscordOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
source-diff	obfuscated-file:es/icons/KubernetesOutlined.js	AI (source-diff): Auto-generated icon component with embedded base64 SVG data; not obfuscated malware. Build artifact from documented generate.ts script.	ai	2026/04/21
dependencies	unvetted-peer-dep:react-dom	AI (dependencies): react-dom peer dependency is expected for React icon library; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:rc-util	AI (dependencies): rc-util is a standard Ant Design ecosystem dependency; stable for this package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Package predates Sigstore adoption; no provenance is expected for this era.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependencies are all established packages (rc-util, classnames, insert-css, @ant-design/colors, @ant-design/icons-svg); no suspicious additions.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): Size increase reflects expanded icon set and build artifacts; legitimate for icon library growth.	ai	2026/04/21
provenance	missing-githead	AI (provenance): gitHead absence reflects publish environment change, not code integrity risk for a mature package.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer transition is legitimate; vagusx is listed as contributor and has established npm history.	ai	2026/04/21
source-diff	obfuscated-file:lib/umd.js	AI (source-diff): Standard webpack UMD bundle of SVG icon data; build:umd script in package.json confirms this is a legitimate build artifact.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): 210 new files reflect major version bump (v4→v5); consistent with feature additions, not injection.	ai	2026/04/21
source-diff	obfuscated-file:lib/Amazon.js	AI (source-diff): SVG icon data files have very long path coordinate strings triggering the long-line heuristic. Not obfuscation — standard for icon libraries.	ai	2026/04/21
source-diff	obfuscated-file:lib/dist.js	AI (source-diff): UMD webpack bundle of SVG icon definitions; long lines are SVG path data, not obfuscation. Matches build:umd script.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher change reflects legitimate maintainer transition; vagusx has 2457-day history and 115 approved packages.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Team expansion on established package; new maintainer addition is normal for popular projects.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped @ant-design namespace with official GitHub repo; Levenshtein distance match is a false positive for this established ecosystem package.	ai	2026/04/21
dependencies	unvetted-dep:@rc-component/util	AI (dependencies): @rc-component/util is a utility package from the RC ecosystem; reasonable constraint and low risk for this established package.	ai	2026/04/21
dependencies	unvetted-dep:@ant-design/colors	AI (dependencies): @ant-design/colors is a first-party Ant Design package; its use here is expected and stable across versions.	ai	2026/04/21

Versions (showing 51 of 81)

View all versions

Version	Deps	Published
6.2.5	4 / 32	2026-05-28
6.2.4	4 / 32	2026-05-28
6.2.3	4 / 32	2026-05-13
6.2.2	4 / 32	2026-04-27
6.2.1	4 / 32	2026-04-27
6.2.0	4 / 32	2026-04-27
6.1.1	4 / 34	2026-03-26
6.1.0	4 / 35	2025-10-01
6.0.2	4 / 36	2025-09-12
6.0.1	4 / 37	2025-09-04
6.0.0	4 / 37	2025-03-21
5.6.1	5 / 36	2025-02-07
5.6.0	5 / 36	2025-01-22
5.5.2	5 / 36	2024-11-29
5.5.1	5 / 36	2024-09-19
5.5.0	5 / 36	2024-09-18
5.4.0	5 / 38	2024-07-21
5.3.7	5 / 38	2024-05-04
5.3.6	5 / 38	2024-03-31
5.3.5	5 / 37	2024-03-22
5.3.4	5 / 37	2024-03-18
5.3.3	5 / 37	2024-03-15
5.3.2	5 / 37	2024-03-15
5.3.1	5 / 37	2024-02-29
5.3.0	5 / 37	2024-01-31
5.2.0	5 / 37	2023-08-01
5.1.4	5 / 36	2023-05-30
5.1.3	5 / 36	2023-05-26
5.1.2	5 / 36	2023-05-24
5.1.1	5 / 36	2023-05-24
5.1.0	5 / 28	2023-05-17
5.0.1	5 / 28	2023-01-20
5.0.0	5 / 27	2023-01-10
4.8.0	5 / 27	2022-11-16
4.7.0	5 / 24	2021-09-24
4.6.4	5 / 24	2021-08-27
4.6.3	5 / 24	2021-08-16
4.6.2	5 / 24	2021-03-19
4.6.1	5 / 24	2021-03-19
4.6.0	5 / 24	2021-03-19
4.5.0	6 / 25	2021-02-10
4.4.0	6 / 25	2021-01-19
4.3.0	6 / 24	2020-11-13
4.2.2	6 / 24	2020-08-04
4.2.1	6 / 23	2020-05-30
4.2.0	5 / 23	2020-05-29
4.1.0	5 / 22	2020-04-27
4.0.6	5 / 22	2020-04-10
4.0.5	5 / 22	2020-03-29
4.0.4	5 / 22	2020-03-28
4.0.3	5 / 22	2020-03-18

v6.2.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.4

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: zombiej → afc163 (on 2026-05-28, known maintainer) provenance

This version was published by a different npm account (afc163) than the most recent previously approved version (zombiej) on 2026-05-28, but afc163 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v6.2.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.2

4 findings

HIGH New obfuscated file: es/icons/AmazonCircleFilled.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: es/icons/AmazonOutlined.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: es/icons/AmazonSquareFilled.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: zombiej → afc163 (on 2020-05-29) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-29. This could indicate a legitimate maintainer transition or an account compromise.

v4.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.