@storybook/components — Greenflagged

Core Storybook Components

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ndelangenshilmantmeasdayghengeveldwinkervsbecksyannbfkylegachjreinholdkasperpeulenvalentinpalkovicdomyenstorybook-bot

Keywords

storybook

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	rapid-publish	AI (publish-pattern): Storybook monorepo publishes many packages simultaneously via CI/CD; rapid successive publishes are expected and normal for this package.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase reflects bundling of highlight.js language modules into the package. Diff is against a different major version (v8.x); size growth is expected and legitimate.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): Large file count is due to bundled highlight.js language definitions — a legitimate architectural choice for a syntax-highlighting UI component library.	ai	2026/04/24
source-diff	obfuscated-file:dist/autoit-A2P2SZ3Z.mjs	AI (source-diff): Bundled highlight.js AutoIt language definition. Minified built-in function lists trigger the rule; content is clearly legitimate.	ai	2026/04/24
source-diff	obfuscated-file:dist/armasm-RILIBSME.mjs	AI (source-diff): Bundled highlight.js ARM Assembly language definition. Minified register/directive lists trigger long-line detection; not malicious.	ai	2026/04/24
source-diff	obfuscated-file:dist/arduino-V4RV6FJL.mjs	AI (source-diff): Bundled highlight.js Arduino/C++ language definition. Minified keyword/type lists trigger the rule; content is clearly legitimate.	ai	2026/04/24
source-diff	obfuscated-file:dist/arcade-CALPTLOT.mjs	AI (source-diff): Bundled highlight.js Arcade language definition. Minified built-in function lists trigger long-line detection; not malicious.	ai	2026/04/24
source-diff	obfuscated-file:dist/applescript-7EA7Y3L2.mjs	AI (source-diff): Bundled highlight.js AppleScript language definition. Minification of keyword/pattern arrays triggers the rule; content is clearly legitimate.	ai	2026/04/24
source-diff	obfuscated-file:dist/1c-ZTBIS4WH.mjs	AI (source-diff): Bundled highlight.js language definition (1C language). Minified keyword lists trigger long-line detection; not malicious obfuscation.	ai	2026/04/24
dependencies	unvetted-dep:@radix-ui/react-dialog	AI (dependencies): @radix-ui/react-dialog is a reputable, widely-used UI primitives library; its use in Storybook UI components is expected and benign across all versions.	ai	2026/04/24
phantom-deps	phantom-dep:@radix-ui/react-toolbar	AI (phantom-deps): Declared in package.json dependencies; phantom detection is a false positive for bundled packages.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Storybook 7.x predates widespread provenance adoption; absence is expected for this version line and not a security concern given the established publisher track record.	ai	2026/04/24
phantom-deps	phantom-dep:@radix-ui/react-select	AI (phantom-deps): Declared in package.json dependencies; phantom detection is a false positive for bundled packages.	ai	2026/04/24
phantom-deps	phantom-dep:util-deprecate	AI (phantom-deps): Declared in package.json dependencies; phantom detection is a false positive for bundled packages where direct import tracing may not reflect actual usage.	ai	2026/04/24
dependencies	unvetted-dep:@radix-ui/react-select	AI (dependencies): @radix-ui/react-select is a well-known, widely-used UI primitives library; legitimate dependency for a UI component package like @storybook/components.	ai	2026/04/24
phantom-deps	phantom-dep:react-focus-lock	AI (phantom-deps): Legitimately declared dependency used in components; phantom-dep false positive for component libraries.	ai	2026/04/23
phantom-deps	phantom-dep:@types/react-syntax-highlighter	AI (phantom-deps): @types package for declared dependency; framework-scoped types loaded by convention in TypeScript projects.	ai	2026/04/23
phantom-deps	phantom-dep:@types/react-textarea-autosize	AI (phantom-deps): @types package for declared dependency; framework-scoped types loaded by convention in TypeScript projects.	ai	2026/04/23
phantom-deps	phantom-dep:react-helmet-async	AI (phantom-deps): Legitimately declared dependency used in components; phantom-dep false positive for component libraries.	ai	2026/04/23
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): react-dom is legitimately declared and used in a React component library; phantom-dep false positive for monorepo/component packages.	ai	2026/04/23

Versions (showing 100 of 401)

Hide prereleases

Version	Deps	Published
7.6.1	10 / 13	2023-11-29
7.6.0	10 / 13	2023-11-28
7.5.3	10 / 14	2023-11-06
7.5.2	10 / 14	2023-10-30
7.5.1	10 / 14	2023-10-19
7.5.0	10 / 14	2023-10-17
7.4.6	10 / 14	2023-10-03
7.4.5	10 / 14	2023-09-24
7.4.4	10 / 14	2023-09-22
7.4.3	10 / 14	2023-09-20
7.4.2	10 / 14	2023-09-15
7.4.1	10 / 14	2023-09-11
7.4.0	10 / 14	2023-08-29
7.3.2	11 / 13	2023-08-18
7.3.1	11 / 13	2023-08-16
7.3.0	11 / 13	2023-08-15
7.2.3	10 / 13	2023-08-11
7.2.2	10 / 13	2023-08-09
7.2.1	10 / 13	2023-08-03
7.2.0	9 / 13	2023-08-01
7.1.1	8 / 13	2023-07-24
7.1.0	8 / 13	2023-07-18
7.0.27	8 / 13	2023-07-12
7.0.26	8 / 13	2023-07-05
7.0.25	8 / 13	2023-07-03
7.0.24	8 / 13	2023-06-27
7.0.23	8 / 13	2023-06-22
7.0.22	8 / 13	2023-06-17
7.0.21	8 / 13	2023-06-15
7.0.20	8 / 13	2023-06-08
7.0.19	8 / 13	2023-06-08
7.0.18	8 / 13	2023-05-26
7.0.17	8 / 13	2023-05-24
7.0.16	8 / 13	2023-05-24
7.0.15	8 / 13	2023-05-23
7.0.14	8 / 13	2023-05-23
7.0.13	8 / 13	2023-05-22
7.0.12	8 / 13	2023-05-15
7.0.11	8 / 13	2023-05-12
7.0.10	8 / 13	2023-05-09
7.0.9	8 / 13	2023-05-05
7.0.8	8 / 13	2023-05-03
7.0.7	8 / 13	2023-04-24
7.0.6	8 / 13	2023-04-18
7.0.5	8 / 13	2023-04-15
7.0.4	8 / 13	2023-04-12
7.0.3	8 / 13	2023-04-12
7.0.2	8 / 13	2023-04-03
7.0.1	8 / 13	2023-04-03
7.0.0	8 / 13	2023-03-31
6.5.16	8 / 21	2023-01-26
6.5.15	8 / 21	2022-12-20
6.5.14	8 / 21	2022-12-02
6.5.13	8 / 21	2022-10-24
6.5.12	8 / 21	2022-09-14
6.5.11	8 / 21	2022-09-13
6.5.10	8 / 21	2022-08-03
6.5.9	10 / 19	2022-06-13
6.5.8	9 / 20	2022-06-08
6.5.7	9 / 20	2022-06-06
6.5.6	9 / 20	2022-05-30
6.5.5	9 / 20	2022-05-24
6.5.4	9 / 20	2022-05-23
6.5.3	9 / 20	2022-05-19
6.5.2	9 / 20	2022-05-19
6.5.0	9 / 20	2022-05-18
6.4.22	24 / 2	2022-04-14
6.4.21	24 / 2	2022-04-09
6.4.20	24 / 2	2022-04-01
6.4.19	24 / 2	2022-02-12
6.4.18	24 / 2	2022-02-02
6.4.17	24 / 2	2022-01-31
6.4.16	24 / 2	2022-01-29
6.4.15	24 / 2	2022-01-28
6.4.14	24 / 2	2022-01-21
6.4.13	24 / 2	2022-01-15
6.4.12	24 / 2	2022-01-11
6.4.10	24 / 2	2022-01-10
6.4.9	24 / 2	2021-12-09
6.4.8	24 / 2	2021-12-06
6.4.7	24 / 2	2021-12-03
6.4.5	24 / 2	2021-12-03
6.4.4	24 / 2	2021-12-01
6.4.3	24 / 2	2021-12-01
6.4.2	24 / 2	2021-12-01
6.4.1	24 / 2	2021-11-30
6.4.0	24 / 2	2021-11-26
6.3.13	24 / 2	2022-01-10
6.3.12	24 / 2	2021-10-14
6.3.11	24 / 2	2021-10-12
6.3.10	24 / 2	2021-10-06
6.3.9	24 / 2	2021-10-01
6.3.8	24 / 2	2021-09-03
6.3.7	24 / 2	2021-08-09
6.3.6	24 / 2	2021-07-26
6.3.5	24 / 2	2021-07-22
6.3.4	24 / 2	2021-07-08
6.3.3	24 / 2	2021-07-07
6.3.2	24 / 2	2021-06-30
6.3.1	24 / 2	2021-06-28

Showing 100 of 401 Next page →