@atlaskit/tooltip
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@atlaskit/theme | AI (dependencies): Official Atlaskit design system package from Atlassian; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@compiled/react | AI (dependencies): @compiled/react is Atlassian's official CSS-in-JS library; legitimate dependency for Atlaskit components. | ai | |
| dependencies | unvetted-dep:@atlaskit/ds-lib | AI (dependencies): Official Atlaskit design system utility package from Atlassian. | ai | |
| dependencies | unvetted-dep:@atlaskit/motion | AI (dependencies): Official Atlaskit animation/motion package from Atlassian. | ai | |
| dependencies | unvetted-dep:@atlaskit/popper | AI (dependencies): Official Atlaskit popper wrapper from Atlassian; expected dependency for a tooltip component. | ai | |
| dependencies | unvetted-dep:@atlaskit/portal | AI (dependencies): Official Atlaskit portal package from Atlassian; expected dependency for a tooltip component. | ai | |
| dependencies | unvetted-dep:@atlaskit/tokens | AI (dependencies): Official Atlaskit design tokens package from Atlassian. | ai | |
| dependencies | unvetted-dep:@atlaskit/layering | AI (dependencies): Official Atlaskit layering package from Atlassian. | ai | |
| dependencies | unvetted-dep:bind-event-listener | AI (dependencies): Well-known, legitimate utility package for event listener management; no security concerns. | ai | |
| dependencies | unvetted-dep:@atlaskit/analytics-next | AI (dependencies): Official Atlaskit analytics package from Atlassian. | ai | |
| dependencies | unvetted-dep:@atlaskit/platform-feature-flags | AI (dependencies): Official Atlaskit feature flags package from Atlassian. | ai | |
| phantom-deps | phantom-dep:@atlaskit/tokens | AI (phantom-deps): Same org scope; tokens used indirectly via other Atlaskit deps in monorepo pattern. Not a security concern. | ai | |
| phantom-deps | phantom-dep:@atlaskit/platform-feature-flags | AI (phantom-deps): Same org scope; feature flags used indirectly via other Atlaskit deps in monorepo pattern. Not a security concern. | ai | |
| provenance | no-provenance | AI (provenance): Atlaskit packages are published by the official Atlassian artifact team; lack of Sigstore provenance is acceptable given the established publisher track record. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 22.5.0 | 13 / 20 | |
| 22.4.0 | 13 / 20 | |
| 22.3.4 | 13 / 20 | |
| 22.3.3 | 13 / 20 | |
| 22.3.2 | 13 / 20 | |
| 22.3.1 | 13 / 20 | |
| 22.3.0 | 13 / 20 | |
| 22.2.3 | 13 / 20 | |
| 22.2.2 | 13 / 19 | |
| 22.2.1 | 13 / 19 | |
| 22.2.0 | 13 / 19 | |
| 22.1.0 | 13 / 19 | |
| 22.0.0 | 12 / 19 | |
| 21.2.1 | 12 / 19 | |
| 21.2.0 | 12 / 19 | |
| 21.1.6 | 12 / 19 | |
| 21.1.5 | 12 / 19 | |
| 21.1.4 | 12 / 19 | |
| 21.1.3 | 12 / 19 | |
| 21.1.2 | 12 / 18 | |
| 21.1.1 | 12 / 18 | |
| 21.1.0 | 12 / 18 | |
| 21.0.1 | 12 / 18 | |
| 21.0.0 | 12 / 18 | |
| 20.14.7 | 12 / 17 | |
| 20.14.6 | 12 / 17 | |
| 20.14.5 | 12 / 17 | |
| 20.14.4 | 12 / 17 | |
| 20.14.3 | 12 / 17 | |
| 20.14.2 | 12 / 17 | |
| 20.14.1 | 12 / 17 | |
| 20.14.0 | 12 / 17 | |
| 20.13.0 | 12 / 17 | |
| 20.12.0 | 12 / 16 | |
| 20.11.1 | 12 / 15 | |
| 20.11.0 | 12 / 15 | |
| 20.10.0 | 12 / 16 | |
| 20.9.0 | 12 / 16 | |
| 20.8.2 | 12 / 16 | |
| 20.8.1 | 12 / 16 | |
| 20.8.0 | 12 / 16 | |
| 20.7.1 | 12 / 16 | |
| 20.7.0 | 12 / 16 |
v22.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v21.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v21.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v21.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.