@node-core/ui-components
This package is comprised of UI components for use in the Node.js website, documentation, and other aspects of the project.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:Icons/PartnerLogos/MacStadium/Logo.js | AI (source-diff): Long lines are inline SVG path data in a React component, not obfuscated code. Stable pattern for partner logo files. | ai | |
| source-diff | obfuscated-file:dist/Icons/InstallationMethod/FNM.js | AI (source-diff): Compiled React SVG icon component; long lines are SVG path data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Icons/PartnerLogos/OpenSSF/Favicon.js | AI (source-diff): Compiled React SVG icon component; long lines are SVG path data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Icons/PartnerLogos/DataDog/Favicon.js | AI (source-diff): Compiled React SVG icon component; long lines are SVG path data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Icons/PartnerLogos/Crowdin/Favicon.js | AI (source-diff): Compiled React SVG icon component; long lines are SVG path data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Icons/PartnerLogos/Vlt/Favicon.js | AI (source-diff): Compiled React SVG icon component; long lines are SVG path data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Icons/HexagonGrid.js | AI (source-diff): Compiled React SVG icon component; long lines are SVG path data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Icons/PartnerLogos/IBM/Favicon.js | AI (source-diff): Compiled React SVG icon component; long lines are SVG path data, not obfuscation. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance via GitHub Actions CI/CD confirms legitimate Node.js org publish pipeline; dormancy gap is not indicative of takeover here. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Scoped org package from nodejs/nodejs.org monorepo; missing description is cosmetic, not a risk signal here. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): Radix UI primitive; widely used, consistent with UI component library. | ai | |
| dependencies | unvetted-dep:@orama/ui | AI (dependencies): Legitimate search UI library used in nodejs.org; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:@orama/core | AI (dependencies): Orama search engine core; well-known library, consistent with package purpose. | ai | |
| dependencies | unvetted-dep:@vcarl/remark-headings | AI (dependencies): Remark plugin by known Node.js contributor; consistent with nodejs.org docs tooling. | ai | |
| phantom-deps | phantom-dep:@vcarl/remark-headings | AI (phantom-deps): Config-file-only reference; stable false positive for this build tooling package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal Node.js org UI library; sparse README and no keywords are expected for a scoped internal package. | ai | |
| phantom-deps | phantom-dep:postcss-calc | AI (phantom-deps): PostCSS plugin used via config, not directly imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type-only package; framework-scoped, loaded by convention. | ai | |
| phantom-deps | phantom-dep:@orama/orama | AI (phantom-deps): Referenced in config/type context; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): CSS framework used via PostCSS config, not directly imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Build-time type checker; config-only usage is expected for this UI component package. | ai | |
| phantom-deps | phantom-dep:postcss-cli | AI (phantom-deps): CLI tool invoked via npm scripts, not imported in source; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/postcss | AI (phantom-deps): PostCSS plugin used via config, not directly imported; stable false positive. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 1.7.0 | 20 / 23 | |
| 1.6.3 | 20 / 21 | |
| 1.6.2 | 20 / 21 | |
| 1.6.1 | 20 / 21 | |
| 1.6.0 | 15 / 27 | |
| 1.5.10 | 15 / 0 | |
| 1.5.8 | 15 / 0 | |
| 1.5.7 | 15 / 0 | |
| 1.5.6 | 15 / 0 | |
| 1.5.5 | 15 / 0 | |
| 1.5.3 | 15 / 0 | |
| 1.5.2 | 15 / 0 | |
| 1.5.1 | 15 / 0 | |
| 1.5.0 | 15 / 0 | |
| 1.4.4 | 16 / 0 | |
| 1.4.3 | 16 / 0 | |
| 1.4.2 | 16 / 0 | |
| 1.4.1 | 16 / 0 | |
| 1.4.0 | 16 / 0 | |
| 1.3.0 | 15 / 0 | |
| 1.2.0 | 15 / 0 | |
| 1.1.0 | 15 / 0 |
v1.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.