@coinbase/cdp-react — Greenflagged

This package contains ready-made, customizable React UI components that wrap the CDP frontend SDK.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

coinbase-ownercoinbase-npm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size growth consistent with adding multiple UI components and their dependencies; no malicious payload indicators.	ai	2026/05/11
source-diff	large-new-source-files	AI (source-diff): Rapidly growing Coinbase UI component library; new files reflect legitimate component additions.	ai	2026/05/11
provenance	publisher-changed	AI (provenance): Coinbase org migrated publishing to GitHub Actions CI/CD; expected for this package going forward.	ai	2026/05/11
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is the documented version for Coinbase placeholder/namespace reservation packages.	ai	2026/05/11
bogus-package	bogus-package	AI (bogus-package): Intentional namespace placeholder by Coinbase; all bogus-package signals are expected for this use case.	ai	2026/05/11
source-diff	obfuscated-file:dist/utils/formatPhoneNumber.js	AI (source-diff): File contains libphonenumber-js phone metadata (country codes, dial prefixes) — expected minified data bundle from declared dependency.	ai	2026/05/04
phantom-deps	phantom-dep:clsx	AI (phantom-deps): clsx is a declared runtime dependency and commonly used in React component libraries via CSS class utilities; stable false positive.	ai	2026/05/04