@atlaskit/pragmatic-drag-and-drop-react-beautiful-dnd-migration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by publisher migration is consistent with Atlassian's batch migration to their artifact publishing account. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to atlassianartifactteam is an Atlassian-internal CI/CD account migration, not a compromise. | ai | |
| provenance | missing-githead | AI (provenance): Consistent with publishing pipeline change; atlassianartifactteam publishes thousands of approved Atlaskit packages without gitHead. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): atlassianartifactteam is Atlassian's official artifact publishing account with 3835 approved packages; this is an internal pipeline migration. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainer is Atlassian's official artifact team account; legitimate org-level transition. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): atlaskit replaced by atlassianartifactteam as part of Atlassian's publishing pipeline migration. | ai | |
| dependencies | unvetted-dep:@atlaskit/pragmatic-drag-and-drop-live-region | AI (dependencies): Sibling Atlassian design system package; same publisher/org, no risk. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Atlassian scoped component library; thin README and no keywords are normal for this package family. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 2.1.1 | 8 / 20 | |
| 2.1.0 | 8 / 19 | |
| 2.0.19 | 8 / 19 | |
| 2.0.18 | 8 / 18 | |
| 2.0.17 | 8 / 18 | |
| 2.0.16 | 8 / 18 | |
| 2.0.15 | 8 / 18 | |
| 2.0.14 | 8 / 18 | |
| 2.0.13 | 8 / 18 | |
| 2.0.12 | 8 / 18 | |
| 2.0.11 | 8 / 18 | |
| 2.0.10 | 8 / 17 | |
| 2.0.9 | 8 / 17 | |
| 2.0.8 | 8 / 17 | |
| 2.0.7 | 8 / 17 | |
| 2.0.6 | 8 / 17 | |
| 2.0.5 | 8 / 18 | |
| 2.0.4 | 8 / 18 | |
| 2.0.3 | 8 / 18 | |
| 1.2.1 | 9 / 18 |
v2.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.18
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.17
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.16
4 findingsAll previous maintainers (atlaskit) were replaced by new maintainers (atlassianartifactteam). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
This version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.13
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
v2.0.12
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
v2.0.11
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
v2.0.10
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
v2.0.9
3 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-07. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.8
3 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.7
3 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-15. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.6
3 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-19. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.5
3 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-04. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.4
3 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-03. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.3
3 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atlassianartifactteam.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-08. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.