@elastic/eui
Elastic UI Component Library
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@types/refractor | AI (dependencies): Type-only package for refractor; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:remark-parse-no-trim | AI (dependencies): Known remark ecosystem package used for markdown parsing; stable for this package. | ai | |
| dependencies | unvetted-dep:@elastic/eui-theme-common | AI (dependencies): Elastic-owned sibling package in the EUI monorepo; stable for this package. | ai | |
| dependencies | unvetted-dep:@elastic/prismjs-esql | AI (dependencies): Elastic-owned syntax highlighting extension; stable for this package. | ai | |
| source-diff | obfuscated-file:es/components/context_menu/context_menu_panel_title.js | AI (source-diff): Babel-transpiled React component with readable code and Elastic copyright; long-line heuristic false positive on bundled output. | ai | |
| source-diff | obfuscated-file:lib/components/context_menu/context_menu_panel_title.js | AI (source-diff): Same as es/ variant — CJS Babel output, not obfuscated. | ai | |
| source-diff | obfuscated-file:test-env/components/context_menu/context_menu_panel_title.js | AI (source-diff): Same pattern — test-env Babel output, not obfuscated. | ai | |
| phantom-deps | phantom-dep:@types/refractor | AI (phantom-deps): @types/* packages are type-only; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): @types/* packages are type-only and loaded by convention in TS projects; not an injection vector. | ai | |
| phantom-deps | phantom-dep:@types/numeral | AI (phantom-deps): @types/* packages are type-only; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:@types/react-window | AI (phantom-deps): @types/* packages are type-only; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:rehype-raw | AI (phantom-deps): Established Elastic UI library; rehype-raw is a legitimate markdown/HTML processing dep used in component internals. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped @elastic package; levenshtein match against 'yup' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @elastic package; levenshtein match against 'joi' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped @elastic package; levenshtein match against 'uuid' is a false positive. | ai | |
| phantom-deps | phantom-dep:react-element-to-jsx-string | AI (phantom-deps): Used in code display/playground components; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:rehype-stringify | AI (phantom-deps): Legitimate rehype pipeline dep in a large component library; analyzer likely misses indirect import paths. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 116.2.0 | 36 / 154 | |
| 116.1.0 | 36 / 155 | |
| 116.0.0 | 36 / 155 | |
| 115.0.0 | 36 / 155 | |
| 114.3.0 | 36 / 163 | |
| 114.2.0 | 36 / 163 | |
| 114.1.0 | 36 / 163 |
v116.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v116.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v116.0.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v115.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v114.3.0
4 findingsDeclared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v114.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v114.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.