← Home

@storybook/components

npm Repository Homepage

Core Storybook Components

85
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ndelangenshilmantmeasdayghengeveldwinkervsbecksyannbfkylegachjreinholdkasperpeulenvalentinpalkovicdomyenstorybook-bot

Keywords

storybook

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern rapid-publish AI (publish-pattern): Storybook monorepo publishes many packages simultaneously via CI/CD; rapid successive publishes are expected and normal for this package. ai
source-diff source-size-tripled AI (source-diff): Size increase reflects bundling of highlight.js language modules into the package. Diff is against a different major version (v8.x); size growth is expected and legitimate. ai
source-diff large-new-source-files AI (source-diff): Large file count is due to bundled highlight.js language definitions — a legitimate architectural choice for a syntax-highlighting UI component library. ai
source-diff obfuscated-file:dist/autoit-A2P2SZ3Z.mjs AI (source-diff): Bundled highlight.js AutoIt language definition. Minified built-in function lists trigger the rule; content is clearly legitimate. ai
source-diff obfuscated-file:dist/armasm-RILIBSME.mjs AI (source-diff): Bundled highlight.js ARM Assembly language definition. Minified register/directive lists trigger long-line detection; not malicious. ai
source-diff obfuscated-file:dist/arduino-V4RV6FJL.mjs AI (source-diff): Bundled highlight.js Arduino/C++ language definition. Minified keyword/type lists trigger the rule; content is clearly legitimate. ai
source-diff obfuscated-file:dist/arcade-CALPTLOT.mjs AI (source-diff): Bundled highlight.js Arcade language definition. Minified built-in function lists trigger long-line detection; not malicious. ai
source-diff obfuscated-file:dist/applescript-7EA7Y3L2.mjs AI (source-diff): Bundled highlight.js AppleScript language definition. Minification of keyword/pattern arrays triggers the rule; content is clearly legitimate. ai
source-diff obfuscated-file:dist/1c-ZTBIS4WH.mjs AI (source-diff): Bundled highlight.js language definition (1C language). Minified keyword lists trigger long-line detection; not malicious obfuscation. ai
dependencies unvetted-dep:@radix-ui/react-dialog AI (dependencies): @radix-ui/react-dialog is a reputable, widely-used UI primitives library; its use in Storybook UI components is expected and benign across all versions. ai
phantom-deps phantom-dep:@radix-ui/react-toolbar AI (phantom-deps): Declared in package.json dependencies; phantom detection is a false positive for bundled packages. ai
provenance no-provenance AI (provenance): Storybook 7.x predates widespread provenance adoption; absence is expected for this version line and not a security concern given the established publisher track record. ai
phantom-deps phantom-dep:@radix-ui/react-select AI (phantom-deps): Declared in package.json dependencies; phantom detection is a false positive for bundled packages. ai
phantom-deps phantom-dep:util-deprecate AI (phantom-deps): Declared in package.json dependencies; phantom detection is a false positive for bundled packages where direct import tracing may not reflect actual usage. ai
dependencies unvetted-dep:@radix-ui/react-select AI (dependencies): @radix-ui/react-select is a well-known, widely-used UI primitives library; legitimate dependency for a UI component package like @storybook/components. ai
phantom-deps phantom-dep:react-focus-lock AI (phantom-deps): Legitimately declared dependency used in components; phantom-dep false positive for component libraries. ai
phantom-deps phantom-dep:@types/react-syntax-highlighter AI (phantom-deps): @types package for declared dependency; framework-scoped types loaded by convention in TypeScript projects. ai
phantom-deps phantom-dep:@types/react-textarea-autosize AI (phantom-deps): @types package for declared dependency; framework-scoped types loaded by convention in TypeScript projects. ai
phantom-deps phantom-dep:react-helmet-async AI (phantom-deps): Legitimately declared dependency used in components; phantom-dep false positive for component libraries. ai
phantom-deps phantom-dep:react-dom AI (phantom-deps): react-dom is legitimately declared and used in a React component library; phantom-dep false positive for monorepo/component packages. ai

Versions (showing 85 of 385)

Show 16 prereleases
Version Deps Published
5.1.1 18 / 6
5.0.11 25 / 0
5.0.10 25 / 0
5.0.9 25 / 0
5.0.8 25 / 0
5.0.7 25 / 0
5.0.6 25 / 0
5.0.5 25 / 0
5.0.4 25 / 0
5.0.3 25 / 0
5.0.2 25 / 0
5.0.1 25 / 0
5.0.0 24 / 0
4.1.18 10 / 3
4.1.17 10 / 3
4.1.16 10 / 3
4.1.15 10 / 3
4.1.14 10 / 3
4.1.13 10 / 3
4.1.12 10 / 3
4.1.11 10 / 3
4.1.10 10 / 3
4.1.9 10 / 3
4.1.8 10 / 3
4.1.7 10 / 3
4.1.6 10 / 3
4.1.5 10 / 3
4.1.4 10 / 3
4.1.3 10 / 3
4.1.2 10 / 3
4.1.1 10 / 3
4.1.0 10 / 3
4.0.12 10 / 3
4.0.11 10 / 3
4.0.10 10 / 3
4.0.9 10 / 3
4.0.8 10 / 3
4.0.7 10 / 3
4.0.6 10 / 3
4.0.4 10 / 3
4.0.3 10 / 3
4.0.2 10 / 3
4.0.1 10 / 3
4.0.0 10 / 3
3.4.12 3 / 3
3.4.11 3 / 3
3.4.10 3 / 3
3.4.8 3 / 3
3.4.7 3 / 3
3.4.6 3 / 3
3.4.5 3 / 3
3.4.4 3 / 3
3.4.3 3 / 3
3.4.2 3 / 3
3.4.1 3 / 3
3.4.0 3 / 3
3.3.15 3 / 3
3.3.14 3 / 3
3.3.13 3 / 3
3.3.12 3 / 3
3.3.11 3 / 3
3.3.10 3 / 3
3.3.9 3 / 3
3.3.8 3 / 3
3.3.7 3 / 3
3.3.6 3 / 3
3.3.5 3 / 3
3.3.4 3 / 3
3.3.3 3 / 3
3.3.2 3 / 3
3.3.1 3 / 3
3.3.0 3 / 3
3.2.19 3 / 0
3.2.18 3 / 0
3.2.17 3 / 0
3.2.16 3 / 0
3.2.15 3 / 2
3.2.14 3 / 2
3.2.13 3 / 2
3.2.12 3 / 3
3.2.10 3 / 3
3.2.7 3 / 3
3.2.6 3 / 2
3.1.5 3 / 2
3.1.3 3 / 2