@storybook/addon-docs
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/mdx-loader.mjs | AI (source-diff): Bundled MDX loader with inlined micromark HTML entities; standard build output for this package. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-DHKQA5WB.js | AI (source-diff): esbuild bundle output with CJS compat banner; long regex line from github-slugger triggers false positive. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-XVFMD3TD.js | AI (source-diff): esbuild bundle output with CJS compat banner and inlined unicode regex from github-slugger; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-4XSJZOLT.js | AI (source-diff): esbuild-bundled output with inlined unicode regex from github-slugger; standard for this package. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-3FMIO2AU.js | AI (source-diff): esbuild bundle output with CJS compat banner; long lines from inlined Unicode regex, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-TQBSQBRQ.js | AI (source-diff): esbuild-bundled chunk with long Unicode regex from github-slugger; standard Storybook build output. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-ZFPIR3L6.js | AI (source-diff): esbuild-bundled CJS compat output for rehype-slug; standard Storybook build artifact. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-SPX3TUGT.js | AI (source-diff): esbuild bundle output with CJS compat shim and unicode regex from github-slugger; not obfuscation. | ai | |
| phantom-deps | phantom-dep:@storybook/preview-api | AI (phantom-deps): Same-org peer dep re-exported or used transitively; stable pattern for @storybook packages. | ai | |
| phantom-deps | phantom-dep:@storybook/components | AI (phantom-deps): Same-org peer dep re-exported or used transitively; stable pattern for @storybook packages. | ai | |
| phantom-deps | phantom-dep:@storybook/theming | AI (phantom-deps): Same-org peer dep re-exported or used transitively; stable pattern for @storybook packages. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-7IJLGGAJ.js | AI (source-diff): esbuild bundle output with long Unicode regex from github-slugger; standard for this package's build. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-ZQNLTEFW.js | AI (source-diff): esbuild bundle output with CJS compat banner; long lines from Unicode regex in github-slugger, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-SWZMHUUR.js | AI (source-diff): esbuild bundle output with long Unicode regex from github-slugger; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-QMVSHJMP.js | AI (source-diff): esbuild bundle of rehype-slug + github-slugger; long Unicode regex triggers false positive. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-U26YELH3.js | AI (source-diff): esbuild-bundled chunk with CJS compat banner; long regex line from github-slugger. Standard build output. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-LE5AS6RC.js | AI (source-diff): esbuild-bundled chunk with CJS compat banner; long lines from Unicode regex in github-slugger, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-NERL3ZEL.js | AI (source-diff): esbuild bundle output with CJS compat banner; long line is Unicode regex from github-slugger. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-GOFA2OQH.js | AI (source-diff): esbuild-bundled output with CJS compat shim; long lines from Unicode regex in github-slugger. Stable pattern. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-76X5TKO7.js | AI (source-diff): esbuild bundle output with CJS compat banner; long lines from inlined Unicode regex, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-3QS5AFJH.js | AI (source-diff): esbuild bundle output with long Unicode regex from github-slugger; standard for Storybook's build. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): react-dom is declared as a runtime dependency; phantom-dep is a false positive. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-INWKXDTS.js | AI (source-diff): esbuild-bundled output with CJS compat banner; long regex line from github-slugger. Stable for this package. | ai | |
| source-diff | net-exec-file:dist/blocks.mjs | AI (source-diff): UMD boilerplate (typeof global/define.amd) triggers heuristic; no real net+exec. | ai | |
| source-diff | obfuscated-file:dist/blocks.mjs | AI (source-diff): Bundled build output (memoizerific UMD, React components); stable for this package. | ai | |
| source-diff | obfuscated-file:dist/Color-AVL7NMMY.mjs | AI (source-diff): Bundled build output with long lines (color-name map); stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/_node-chunks/rehype-slug-CJTBZTTB.js | AI (source-diff): esbuild bundle output with CJS compat banner and inlined unicode regex from github-slugger; not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Storybook publishes via GitHub Actions CI without Sigstore attestation; consistent across all versions. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 10.4.1 | 7 / 19 | |
| 10.3.5 | 7 / 19 | |
| 10.3.4 | 7 / 19 | |
| 10.3.3 | 7 / 19 | |
| 10.2.18 | 7 / 19 | |
| 10.2.16 | 7 / 19 | |
| 10.2.15 | 7 / 19 | |
| 10.2.14 | 7 / 19 | |
| 10.2.13 | 7 / 19 | |
| 10.2.12 | 7 / 19 | |
| 10.2.11 | 7 / 19 | |
| 10.2.6 | 7 / 19 | |
| 10.2.4 | 7 / 19 | |
| 10.2.2 | 7 / 19 | |
| 10.2.1 | 7 / 19 | |
| 10.2.0 | 7 / 19 | |
| 10.1.8 | 7 / 19 | |
| 10.1.7 | 7 / 19 | |
| 10.0.7 | 7 / 19 | |
| 10.0.6 | 7 / 19 | |
| 10.0.5 | 7 / 19 | |
| 10.0.4 | 7 / 19 | |
| 10.0.3 | 7 / 19 | |
| 10.0.2 | 7 / 19 | |
| 10.0.1 | 7 / 19 | |
| 10.0.0 | 7 / 19 | |
| 9.1.20 | 7 / 19 | |
| 9.1.19 | 7 / 19 | |
| 9.1.18 | 7 / 19 | |
| 8.6.18 | 7 / 9 | |
| 8.6.17 | 7 / 9 | |
| 8.6.16 | 7 / 9 | |
| 8.6.15 | 7 / 9 | |
| 7.6.24 | 19 / 5 | |
| 7.6.23 | 19 / 5 | |
| 7.6.22 | 19 / 5 | |
| 7.6.21 | 19 / 5 |
v10.4.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.3.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.18
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.16
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.15
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.14
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.13
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.12
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.11
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.20
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.19
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.18
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.18
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.17
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.16
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.15
3 findingsThis version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.21
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (storybook-bot) than the most recent previously approved version (GitHub Actions) on 2025-12-17, but storybook-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.