@plone/mockup — Greenflagged

A collection of client side patterns for faster and easier web development

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

agitatortimostollenwerkramonnbebrehaultrobgietemasneridaghmauritsvanreesericofthetpetschkimrtangodavisaglipieronicolli

Keywords

mockuppatternslibplone

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:slides	AI (phantom-deps): Used in webpack config for bundling, not directly imported in JS source.	ai	2026/06/09
npm-metadata	url-dep:slides	AI (npm-metadata): Points to Patternslib org repo, same ecosystem as this package; not a suspicious third-party URL.	ai	2026/06/09
npm-metadata	url-dep:slick-carousel	AI (npm-metadata): SHA-pinned to a specific upstream commit for reproducibility; consistent with Plone/Patternslib ecosystem practice.	ai	2026/06/09
phantom-deps	phantom-dep:slick-carousel	AI (phantom-deps): Used in webpack config for bundling, not directly imported in JS source.	ai	2026/06/09
dependencies	unvetted-dep:select2	AI (dependencies): Git-pinned select2 at a specific tag; stable known dependency for this package.	ai	2026/05/22
dependencies	unvetted-dep:dropzone	AI (dependencies): dropzone 5.9.3 is a well-known file upload library; stable dependency for this package.	ai	2026/05/22
phantom-deps	phantom-dep:@11ty/eleventy-upgrade-help	AI (phantom-deps): Config-file reference only; stable false positive for this package.	ai	2026/05/20
phantom-deps	phantom-dep:tinymce-i18n	AI (phantom-deps): Referenced in config files as documented; stable false positive for this package.	ai	2026/05/20
phantom-deps	phantom-dep:jquery.browser	AI (phantom-deps): Config-file reference only; stable false positive for this package.	ai	2026/05/20
phantom-deps	phantom-dep:bootstrap-icons	AI (phantom-deps): Config-file reference only; stable false positive for this package.	ai	2026/05/20
phantom-deps	phantom-dep:cs-jqtree-contextmenu	AI (phantom-deps): Config-file reference only; stable false positive for this package.	ai	2026/05/20
source-diff	net-exec-file:dist/chunks/32041.18093f6262e2f58cd66d.min.js	AI (source-diff): Webpack chunk for pat-code-editor; dynamic imports are lazy-load patterns for highlight.js languages, not dropper behavior.	ai	2026/05/20
install-scripts	install-script:postinstall	AI (install-scripts): Applies a local patch file to select2; no network fetch, no arbitrary code execution — stable pattern for this package.	ai	2026/05/04
npm-metadata	url-dep:select2	AI (npm-metadata): Pinned to a specific commit hash on the official ivaynberg/select2 repo; documented in package.json comments as intentional pnpm workaround.	ai	2026/05/04

Versions (showing 7 of 7)

Version	Deps	Published
5.6.6	36 / 15	2026-06-08
5.6.5	36 / 15	2026-06-08
5.6.4	34 / 15	2026-05-18
5.6.3	34 / 15	2026-05-05
5.6.2	34 / 15	2026-04-30
5.4.9	34 / 15	2026-05-21
5.4.8	34 / 15	2026-05-21

v5.6.6

2 findings

HIGH SHA-pinned github dependency: slick-carousel npm-metadata

Dependency 'slick-carousel' in `dependencies` points to 'git+https://github.com/kenwheeler/slick.git#d0716f19aa730006ee80ab026625fb1107816a97' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.