@coursebuilder/ui
4
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
joelhooks
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@radix-ui/react-icons | AI (phantom-deps): UI component library; peer/transitive deps declared but not directly imported is expected for this package type. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-compose-refs | AI (phantom-deps): Radix internal dep used by convention; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@codemirror/lang-javascript | AI (phantom-deps): CodeMirror language extension loaded by config; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-collection | AI (phantom-deps): Radix internal dep used by convention; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-context | AI (phantom-deps): Radix internal dep used by convention; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@codemirror/language | AI (phantom-deps): CodeMirror extension loaded by convention/config; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@codemirror/commands | AI (phantom-deps): CodeMirror extension loaded by convention/config; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@types/md5 | AI (phantom-deps): Type-only package for md5 which is a direct dep; phantom detection is a false positive here. | ai | |
| phantom-deps | phantom-dep:@codemirror/search | AI (phantom-deps): CodeMirror extension loaded by convention/config, not direct import; stable FP for this UI lib. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped monorepo UI package; missing metadata is typical for internal/monorepo packages, not a spam indicator. | ai | |
| dependencies | unvetted-dep:y-codemirror.jh | AI (dependencies): Personal fork of y-codemirror by the same author (joelhooks/joel); consistent with collaborative editor use case in this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo scoped package; missing description is cosmetic, not a risk signal. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat pg; edit-distance match is spurious. | ai | |
| phantom-deps | phantom-dep:y-prosemirror | AI (phantom-deps): Collaborative editing dep; referenced transitively, stable false positive. | ai | |
| phantom-deps | phantom-dep:y-protocols | AI (phantom-deps): Collaborative editing dep; referenced transitively, stable false positive. | ai | |
| phantom-deps | phantom-dep:react-wrap-balancer | AI (phantom-deps): UI library pattern; referenced in config, stable false positive. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer-style dep in UI library; not directly imported but legitimately declared. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): UI component library; deps used transitively or in config files is expected pattern. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat yup; edit-distance match is spurious. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat joi; edit-distance match is spurious. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat qs; edit-distance match is spurious. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat uuid; edit-distance match is spurious. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 2.0.12 | 68 / 5 | |
| 2.0.10 | 68 / 5 | |
| 2.0.7 | 66 / 3 | |
| 2.0.6 | 65 / 3 |
v2.0.12
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.10
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.7
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.6
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.