← Home

@radix-ui/react-use-size

npm Repository Homepage
12
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

benoitgrelardstephenhaneyandy-hookhadihallakchancestricklandmark-workos

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-removed AI (maintainer-change): jjenzz and benoitgrelard are both Radix UI core contributors; the 2022 team transition is well-documented and consistent across the entire @radix-ui namespace. ai
phantom-deps phantom-dep:@babel/runtime AI (phantom-deps): @babel/runtime is a standard build-time transpilation artifact used across all @radix-ui packages; loaded by convention, not a suspicious import. ai
publish-pattern new-deps-added AI (publish-pattern): @radix-ui/react-use-layout-effect is a first-party Radix UI package; adding it is an internal refactor, not a supply-chain risk. ai
provenance publisher-changed AI (provenance): vladmoroz is a known Radix UI core maintainer; publisher transitions within the Radix UI team are routine and not indicative of compromise. ai
provenance no-provenance AI (provenance): Radix UI primitives do not currently publish Sigstore provenance; absence is consistent across the entire package family and not a risk indicator. ai
bogus-package bogus-package AI (bogus-package): Radix UI sub-packages structurally omit descriptions and keywords; spam-publisher flag covers the entire Radix UI team and is a false positive for this well-established library. ai
npm-metadata no-description AI (npm-metadata): Radix UI primitive sub-packages consistently omit descriptions; this is a monorepo convention, not a malicious signal. ai

Versions (showing 12 of 12)

Version Deps Published
1.1.1 1 / 9
1.1.0 1 / 1
1.0.1 2 / 1
1.0.0 2 / 1
0.1.1 1 / 1
0.1.0 1 / 1
0.0.6 1 / 1
0.0.5 1 / 1
0.0.4 1 / 1
0.0.3 1 / 1
0.0.2 1 / 1
0.0.1 0 / 1

v1.1.0

2 findings
HIGH Publisher changed: benoitgrelard → vladmoroz (on 2024-06-19) provenance

This version was published by a different npm account than previous versions on 2024-06-19. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jjenzz → benoitgrelard (on 2023-05-26) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-26. This could indicate a legitimate maintainer transition or an account compromise.

v1.0.0

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jjenzz → benoitgrelard (on 2022-07-20) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-20. This could indicate a legitimate maintainer transition or an account compromise.

v0.1.1

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benoitgrelard → jjenzz (on 2022-02-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-24. This could indicate a legitimate maintainer transition or an account compromise.

v0.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.5

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jjenzz → benoitgrelard (on 2021-03-26) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-26. This could indicate a legitimate maintainer transition or an account compromise.

v0.0.4

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benoitgrelard → jjenzz (on 2021-03-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-24. This could indicate a legitimate maintainer transition or an account compromise.

v0.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.