@brightlocal/ui-components
BrightLocal Design System UI Components
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/map.cjs | AI (source-diff): Standard Vite CJS bundle output; readable React/Google Maps component logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/stepper.cjs | AI (source-diff): Standard Vite CJS bundle output; readable Stepper component logic, no malicious patterns. | ai | |
| provenance | no-provenance | AI (provenance): Internal design system; lack of provenance is common and not a risk signal here. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-hover-card | AI (dependencies): Radix UI is a well-known, widely-used component library; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): Radix UI is a well-known, widely-used component library; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-virtual | AI (phantom-deps): Newly added runtime dep; referenced in config/bundler context, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): lucide-react is explicitly declared in dependencies; phantom-dep is a false positive for this package. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 2.15.0 | 44 / 14 | |
| 2.14.0 | 43 / 14 | |
| 2.13.0 | 43 / 14 | |
| 2.11.0 | 44 / 14 | |
| 2.10.0 | 44 / 14 | |
| 2.9.2 | 44 / 14 | |
| 2.7.0 | 44 / 14 | |
| 2.6.1 | 44 / 14 | |
| 2.6.0 | 44 / 14 | |
| 2.5.0 | 44 / 14 | |
| 2.4.0 | 44 / 14 | |
| 2.3.0 | 44 / 14 | |
| 2.2.0 | 44 / 14 | |
| 2.1.0 | 44 / 14 | |
| 2.0.0 | 44 / 14 | |
| 1.4.3 | 43 / 14 | |
| 1.4.2 | 43 / 14 | |
| 1.4.1 | 43 / 14 | |
| 1.4.0 | 43 / 14 | |
| 1.3.0 | 43 / 14 | |
| 1.2.4 | 42 / 13 | |
| 1.1.0 | 42 / 13 | |
| 1.0.1 | 42 / 13 | |
| 0.1.1 | 42 / 13 |
v2.15.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (inum) than the most recent previously approved version (oksana_shmatok) on 2026-06-11, but inum is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.14.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (inum) than the most recent previously approved version (oksana_shmatok) on 2026-06-05, but inum is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.13.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (inum) than the most recent previously approved version (oksana_shmatok) on 2026-06-04, but inum is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.11.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (inum) than the most recent previously approved version (oksana_shmatok) on 2026-05-21, but inum is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.