@radix-ui/react-compose-refs MIT 11 versions

@radix-ui/react-compose-refs

npm Repository Homepage

Versions

MIT

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

benoitgrelardstephenhaneyandy-hookhadihallakchancestricklandmark-workos

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): Radix UI packages legitimately lack descriptions/keywords in early versions; spam publisher flag is a false positive for benoitgrelard who is a known Radix UI maintainer with 151 approved packages.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): vladmoroz is a known Radix UI team member with 10 approved packages; this is a legitimate internal maintainer transition within the radix-ui org.	ai	2026/04/22
npm-metadata	no-description	AI (npm-metadata): Radix UI scoped packages consistently omit descriptions; not a malware signal for this well-established library.	ai	2026/04/22

Versions (showing 11 of 11)

Version	Deps	Published
1.1.2	0 / 8	2025-04-08
1.1.1	0 / 0	2024-12-13
1.1.0	0 / 0	2024-06-19
1.0.1	1 / 0	2023-05-26
1.0.0	1 / 0	2022-07-20
0.1.0	1 / 0	2021-09-07
0.0.5	1 / 0	2021-03-26
0.0.4	1 / 0	2021-03-24
0.0.3	1 / 0	2021-03-24
0.0.2	1 / 0	2021-03-23
0.0.1	0 / 0	2021-03-03