@gooddata/sdk-ui-gen-ai

GoodData GenAI SDK

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rodri360jaceksanivan.mjartanlupkotomas.kratochvilstanislavhackervojtasiipbenesgooddata-cinikolacechpetrjanuhung.caoxmortbich.nguyenno23reasonmatyas.kandltu.buimy.duonghang.ngoscavnickyjthao-luongthuong.nguyenhuyen.nguyennestor_encinastmuchkagdjanphong.nguyentuan.tran_gdmkoldusmartin.milickapjiranekmartozardavid.zoufalyvasek.zmrhallucy.doanhkad98hoaimylukas.therondrejvelisekgdamilietaandrenanninga-gooddatadusan-kovacik-profiqkhuongnguyenmatej.pavlikjenny_gooddataarmhajbertold8jyn.nguyenmara3londrej.macapetr.veprekjan.tychtl.gooddatatimurmuhjkbmmilan.dufekmaitrieuphilongjkbm_gdzdenekornstjiri.starobahenry.nguyen.gooddataadam.prchalfrankhuynhmacekondmartinnajpeter.kozasandrasuspjarjan.svager.gooddataminh.ho.gooddatamaiphuong.buijakubz_goodpavelcernymvarhalikhankadev

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): GoodData CI pipeline; no provenance is consistent across their large package portfolio.	ai	2026/05/21
email-domain	unclaimed-email:rodri360.com	AI (email-domain): Publishing account is gooddata-ci with strong track record; stale maintainer email field does not affect publish trust for this org package.	ai	2026/05/21
phantom-deps	phantom-dep:@codemirror/language	AI (phantom-deps): Referenced in config files for CodeMirror integration; stable false positive.	ai	2026/05/17
phantom-deps	phantom-dep:react-textarea-autosize	AI (phantom-deps): Referenced in config files; stable false positive for this package.	ai	2026/05/17
phantom-deps	phantom-dep:@types/mdast	AI (phantom-deps): Type-only dep for remark/mdast pipeline; stable false positive.	ai	2026/05/17
phantom-deps	phantom-dep:@gooddata/api-client-tiger	AI (phantom-deps): Same-org monorepo dep; stable false positive.	ai	2026/05/17
phantom-deps	phantom-dep:@gooddata/sdk-ui-filters	AI (phantom-deps): Same-org monorepo dep; stable false positive.	ai	2026/05/17
phantom-deps	phantom-dep:@types/unist	AI (phantom-deps): Type-only dep for unist AST types; stable false positive.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-ui-theme-provider	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-ui-semantic-search	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-model	AI (dependencies): Same-org monorepo sibling pinned to matching version; expected pattern for GoodData SDK releases.	ai	2026/05/17
phantom-deps	phantom-dep:reselect	AI (phantom-deps): Used transitively via @reduxjs/toolkit; common false positive.	ai	2026/05/17
phantom-deps	phantom-dep:tslib	AI (phantom-deps): Known implicit TypeScript runtime dep; stable false positive.	ai	2026/05/17
phantom-deps	phantom-dep:immer	AI (phantom-deps): Used transitively via @reduxjs/toolkit; common false positive for this dep pattern.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-ui-kit	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-ui-pivot	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-ui-charts	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-ui-filters	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/api-client-tiger	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-ui-dashboard	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17
dependencies	unvetted-dep:@gooddata/sdk-code-convertors	AI (dependencies): Same-org monorepo sibling pinned to matching version.	ai	2026/05/17

Versions (showing 41 of 41)

Version	Deps	Published
11.41.0	35 / 47	2026-06-11
11.40.0	35 / 47	2026-06-04
11.39.0	35 / 47	2026-05-28
11.38.0	35 / 47	2026-05-25
11.37.0	35 / 47	2026-05-25
11.36.0	35 / 47	2026-05-21
11.35.0	35 / 47	2026-05-14
11.34.0	35 / 47	2026-05-07
11.33.0	35 / 47	2026-05-07
11.32.0	35 / 47	2026-04-30
11.31.0	35 / 47	2026-04-23
11.30.0	35 / 47	2026-04-16
11.29.0	35 / 47	2026-04-10
11.28.0	36 / 47	2026-04-02
11.27.0	35 / 47	2026-03-26
11.24.0	35 / 47	2026-03-05
11.23.0	35 / 47	2026-02-26
11.22.0	35 / 47	2026-02-19
11.21.0	35 / 47	2026-02-12
11.20.0	35 / 47	2026-02-12
11.19.0	35 / 46	2026-02-06
11.18.0	35 / 47	2026-01-29
11.17.0	35 / 45	2026-01-22
11.16.0	33 / 45	2026-01-15
11.15.0	33 / 45	2026-01-08
11.14.0	33 / 45	2025-12-18
11.13.0	33 / 45	2025-12-11
11.12.0	32 / 44	2025-12-04
11.11.0	32 / 44	2025-11-27
11.10.0	31 / 44	2025-11-20
11.9.0	31 / 44	2025-11-13
11.8.0	31 / 44	2025-11-06
11.7.1	29 / 44	2025-11-03
11.7.0	29 / 44	2025-10-30
11.6.0	29 / 44	2025-10-23
11.5.0	29 / 44	2025-10-17
11.4.0	29 / 44	2025-10-10
11.3.0	29 / 45	2025-10-08
11.2.0	29 / 45	2025-10-02
11.1.0	29 / 45	2025-09-25
11.0.0	29 / 45	2025-09-22

v11.41.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v11.40.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v11.39.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v11.38.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v11.37.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v11.36.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v11.35.0

2 findings

HIGH Unclaimed maintainer email domain: rodri360.com email-domain

Maintainer email '[email protected]' uses domain 'rodri360.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.