@atlaskit/editor-plugin-synced-block

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

atlassianartifactteam

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:react-intl-next	AI (dependencies): react-intl-next is a standard Atlaskit ecosystem alias for react-intl@^5.x, used consistently across all @atlaskit packages. Not a security concern.	ai	2026/04/25
bogus-package	bogus-package	AI (bogus-package): Atlaskit component packages routinely lack keywords and detailed READMEs on npm; they are internal enterprise components, not public-facing libraries requiring marketing content.	ai	2026/04/25
provenance	no-provenance	AI (provenance): Atlassian publishes via their artifact team pipeline without Sigstore provenance; this is consistent across all @atlaskit packages and not a security concern given the established publisher track record.	ai	2026/04/24

Versions (showing 8 of 121)

Version	Deps	Published
6.0.32	35 / 1	2026-03-31
6.0.29	35 / 1	2026-03-27
6.0.25	35 / 1	2026-03-26
6.0.24	35 / 1	2026-03-25
6.0.23	35 / 1	2026-03-25
6.0.22	35 / 1	2026-03-25
6.0.21	35 / 1	2026-03-25
3.8.2	17 / 1	2025-10-27