@rio-cloud/rio-uikit
The RIO UIKIT component library
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@rio-cloud/react-datetime | AI (dependencies): Scoped fork under the same @rio-cloud org that publishes this package; intentional internal replacement for react-datetime. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long-lived legitimate package with 167 versions; publisher has prior approvals; no other compromise indicators. | ai | |
| dependencies | unvetted-dep:iframe-resizer-react | AI (dependencies): Pinned to 1.1.0 with an explicit iframe-resizer override; stable dependency pattern for this UI kit. | ai | |
| phantom-deps | phantom-dep:react-shadow-root | AI (phantom-deps): react-shadow-root is a declared runtime dep used in config/build; phantom-dep heuristic fires on indirect usage patterns common in UI kit packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established 166-version corporate UI library; README link dump signal is a false positive for component library documentation style. | ai | |
| provenance | no-provenance | AI (provenance): Established corporate UI library; absence of Sigstore provenance is not a meaningful risk signal here. | ai | |
| npm-metadata | url-dep:react-datetime | AI (npm-metadata): Intentional internal fork pinned to a specific tag; stable pattern for this org's packages. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit runtime dependency for TypeScript-compiled packages; stable false positive. | ai | |
| phantom-deps | phantom-dep:events | AI (phantom-deps): events is a Node.js polyfill listed as a dependency; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-notifications | AI (phantom-deps): react-notifications is a declared runtime dep; phantom-dep fires due to config-only reference, stable false positive. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 2.4.2 | 31 / 39 | |
| 2.4.1 | 31 / 39 | |
| 2.4.0 | 31 / 39 | |
| 2.3.0 | 31 / 39 | |
| 2.2.1 | 31 / 40 | |
| 2.2.0 | 31 / 40 | |
| 2.1.0 | 32 / 40 | |
| 2.0.1 | 33 / 41 | |
| 2.0.0 | 33 / 41 | |
| 1.13.2 | 31 / 39 |
v2.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.