← Home

@elhub/ds-components

npm Repository Homepage

Elhub design system components

3
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

paloskarssandoy-elhub

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Package migrated to GitHub Actions CI/CD publishing with SLSA attestation; consistent with org automation. ai
maintainer-change maintainer-added AI (maintainer-change): ssandoy-elhub is an elhub org member; addition aligns with org-managed package. ai
phantom-deps phantom-dep:react-popper AI (phantom-deps): Declared runtime dep, likely used in bundled output; false positive for this component library. ai
phantom-deps phantom-dep:react-merge-refs AI (phantom-deps): Declared runtime dep, likely used in bundled output; false positive for this component library. ai
phantom-deps phantom-dep:clsx AI (phantom-deps): Declared runtime dep, likely used in bundled output; false positive for this component library. ai
phantom-deps phantom-dep:@floating-ui/react-dom AI (phantom-deps): Declared runtime dep, likely used in bundled output; false positive for this component library. ai
phantom-deps phantom-dep:@radix-ui/react-toggle-group AI (phantom-deps): Declared runtime dep, likely used in bundled output; false positive for this component library. ai
phantom-deps phantom-dep:@radix-ui/react-tabs AI (phantom-deps): Declared runtime dep, likely used in bundled output; false positive for this component library. ai
phantom-deps phantom-dep:date-fns AI (phantom-deps): Declared runtime dep, likely used in bundled output; false positive for this component library. ai

Versions (showing 3 of 3)

Version Deps Published
4.13.4 14 / 5
4.13.3 14 / 5
4.13.2 14 / 5

v4.13.4

2 findings
HIGH Publisher changed: paloskar → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.13.3

2 findings
HIGH Publisher changed: paloskar → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.13.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.