@ngrok/mantle
mantle is ngrok's UI library and design system.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/theme-provider-CtpgDac5.js | AI (source-diff): Standard minified Vite bundle output; theme provider with font preloading from assets.ngrok.com, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/theme-provider-CbzLgte1.js | AI (source-diff): Standard minified ESM build output; no obfuscation, just bundler minification. | ai | |
| source-diff | obfuscated-file:dist/table-DDeUXBex.js | AI (source-diff): Standard minified Vite bundle output for table component; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-Bfi9ODPB.js | AI (source-diff): Standard minified ESM build output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/select-BPzMl3gm.js | AI (source-diff): Standard minified ESM build output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/table-BMGcRJlk.js | AI (source-diff): Standard minified ESM build output for a UI component library; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/select-B7orOUPj.js | AI (source-diff): Standard Vite/Rollup minified chunk; content is readable React/Radix UI component code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/table-Cl4nlRMR.js | AI (source-diff): Standard minified ESM bundle output for a UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/select-DOgdZO0Q.js | AI (source-diff): Standard minified ESM bundle output for a UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-Ducs2SEn.js | AI (source-diff): Standard minified ESM bundle output for a UI library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/resolve-pre-rendered-props--3gLTSwE.js | AI (source-diff): Standard minified Vite/tsdown build output for a React UI library; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/table-CX43SNek.js | AI (source-diff): Standard Vite chunk-hashed bundle; minified React component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/select-CGhC72YN.js | AI (source-diff): Standard Vite chunk-hashed bundle; minified React component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-CY_cVo4q.js | AI (source-diff): Standard Vite chunk-hashed bundle; minified React component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/button-GokecthL.js | AI (source-diff): Standard minified ESM build output for a UI component library; content is readable React/Tailwind, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/toast-CGnquSKO.js | AI (source-diff): Standard minified ESM build output; imports sonner as expected. | ai | |
| source-diff | obfuscated-file:dist/table-12T25gGa.js | AI (source-diff): Standard minified ESM build output for table component; no suspicious patterns. | ai | |
| source-diff | obfuscated-file:dist/select-LJmfG--I.js | AI (source-diff): Standard minified ESM build output; imports @radix-ui/react-select as expected. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-Ff97BIJe.js | AI (source-diff): Standard minified ESM build output; imports @radix-ui/react-dropdown-menu as expected. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-CUwyTKyu.js | AI (source-diff): Standard Vite minified ESM bundle; readable Radix UI component code. | ai | |
| source-diff | obfuscated-file:dist/theme-provider-BFcnjeME.js | AI (source-diff): Standard Vite minified ESM bundle; readable theme provider component code. | ai | |
| source-diff | obfuscated-file:dist/select-BXBu1jP_.js | AI (source-diff): Standard Vite minified ESM bundle; readable Radix UI select component. | ai | |
| source-diff | obfuscated-file:dist/button-CdPMhyKg.js | AI (source-diff): Standard Vite minified ESM bundle for a React UI library; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/button-BKykcpgJ.js | AI (source-diff): Standard build output for a UI component library; minified dist files are expected and readable as React component code. | ai | |
| source-diff | obfuscated-file:dist/theme-provider-8xCwja4v.js | AI (source-diff): Standard minified Vite/tsdown build output; content is readable theme provider logic. | ai | |
| provenance | publisher-changed | AI (provenance): ngrok migrated CI publishing from eng-npm-bot to GitHub Actions; SLSA provenance confirms legitimate CI/CD pipeline. | ai | |
| source-diff | obfuscated-file:dist/table-eyoUW2Uv.js | AI (source-diff): Standard minified ESM bundle output from tsdown build; readable React component code. | ai | |
| source-diff | obfuscated-file:dist/button-uMIZVKit.js | AI (source-diff): Standard minified ESM bundle output from tsdown build; readable React component code. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-C3YZJBkV.js | AI (source-diff): Standard minified ESM bundle output from tsdown build; readable React component code. | ai | |
| source-diff | obfuscated-file:dist/resolve-pre-rendered-props-C-vrNxH1.js | AI (source-diff): Standard minified ESM bundle output from tsdown build; readable React component code. | ai | |
| source-diff | obfuscated-file:dist/select-Cxc9VmP8.js | AI (source-diff): Standard minified ESM bundle output from tsdown build; readable React component code. | ai | |
| source-diff | obfuscated-file:dist/theme-provider-MMwxHEfw.js | AI (source-diff): Standard minified ESM bundle output from tsdown build; readable React component code. | ai | |
| source-diff | obfuscated-file:dist/toast-CR3MVChj.js | AI (source-diff): Standard minified ESM bundle output from tsdown build; readable React component code. | ai | |
| source-diff | obfuscated-file:dist/theme-provider-BSBeZ2wW.js | AI (source-diff): Standard minified ESM bundle output; content is readable theme-provider component code. | ai | |
| source-diff | obfuscated-file:dist/auto-scroll-to-hash.js | AI (source-diff): Standard tsup minified ESM bundle for a UI library; new component export with matching source map and package.json entry. | ai | |
| source-diff | obfuscated-file:dist/multi-select.js | AI (source-diff): Standard Vite/tsdown minified ESM chunk; content is readable React component code. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-CjOaj-Ap.js | AI (source-diff): Standard Vite/tsdown minified ESM chunk; content is readable React component code. | ai | |
| source-diff | obfuscated-file:dist/theme-provider-C8F5nFrJ.js | AI (source-diff): Standard Vite/tsdown minified ESM chunk; content is readable React component code. | ai | |
| source-diff | obfuscated-file:dist/button-CRRPesae.js | AI (source-diff): Standard Vite/tsdown minified ESM chunk; content is readable React component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/select-DZ2ztBkI.js | AI (source-diff): Standard Vite/tsdown minified ESM chunk; content is readable React component code. | ai | |
| source-diff | obfuscated-file:dist/command.js | AI (source-diff): Minified tsup build output; readable React component code visible in sample, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file count reflects build artifact chunking for a UI library with many components; expected pattern. | ai | |
| source-diff | obfuscated-file:dist/table-CHd39aT-.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 316 versions in registry; active package with SLSA provenance. Dormancy signal is unreliable for this package. | ai | |
| source-diff | obfuscated-file:dist/select-BBB_e15a.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/resolve-pre-rendered-props-BfWe69-w.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable utility code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/field.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-DY4w933w.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| phantom-deps | phantom-dep:prismjs | AI (phantom-deps): prismjs is a legitimate declared dep used via config; phantom-dep heuristic fires on config-only references in this UI library. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-slot | AI (phantom-deps): Radix UI slot is a legitimate declared dep; phantom-dep fires on config-only references in this UI library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-hover-card | AI (dependencies): Radix UI primitive; consistent with all other @radix-ui/* deps already used by this package. | ai | |
| phantom-deps | phantom-dep:tw-animate-css | AI (phantom-deps): CSS animation utility used in config context; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): Used in CSS/config context, not direct JS import; stable pattern for this UI library. | ai | |
| phantom-deps | phantom-dep:tiny-invariant | AI (phantom-deps): Referenced in config files; not a direct JS import but legitimately used by this package. | ai | |
| phantom-deps | phantom-dep:@uidotdev/usehooks | AI (phantom-deps): Hooks library referenced in config files; stable false positive for this UI library. | ai |
Versions (showing 25 of 129)
| Version | Deps | Published |
|---|---|---|
| 0.51.0 | 23 / 18 | |
| 0.50.4 | 23 / 18 | |
| 0.50.3 | 23 / 18 | |
| 0.50.2 | 23 / 18 | |
| 0.50.1 | 23 / 18 | |
| 0.50.0 | 23 / 19 | |
| 0.40.1 | 23 / 20 | |
| 0.40.0 | 23 / 21 | |
| 0.32.3 | 23 / 21 | |
| 0.32.2 | 23 / 21 | |
| 0.32.1 | 23 / 21 | |
| 0.32.0 | 23 / 21 | |
| 0.31.6 | 22 / 21 | |
| 0.31.5 | 22 / 22 | |
| 0.31.4 | 22 / 22 | |
| 0.31.3 | 22 / 22 | |
| 0.31.2 | 22 / 22 | |
| 0.31.1 | 22 / 22 | |
| 0.31.0 | 22 / 22 | |
| 0.30.0 | 22 / 22 | |
| 0.29.0 | 22 / 22 | |
| 0.28.1 | 22 / 22 | |
| 0.28.0 | 22 / 22 | |
| 0.27.4 | 22 / 22 | |
| 0.27.3 | 22 / 22 |
v0.51.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.27.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.