@svgr/core — Greenflagged

Transform SVG into React Components.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

neoziro

Keywords

svgrsvgreactcoreapi

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:merge-deep	AI (dependencies): merge-deep is a well-known, legitimate deep-merge utility; its use in @svgr/core for config merging is appropriate and poses no security risk.	ai	2026/04/22
dependencies	unvetted-dep:svgo	AI (dependencies): svgo is a well-known, widely-used SVG optimizer; its use here is expected and legitimate for this SVG-to-React toolchain.	ai	2026/04/22
dependencies	unvetted-dep:h2x-core	AI (dependencies): h2x-core is a core dependency of the SVGR ecosystem, authored by the same maintainer (neoziro); legitimate and expected.	ai	2026/04/22
dependencies	unvetted-dep:h2x-plugin-jsx	AI (dependencies): h2x-plugin-jsx is a core dependency of the SVGR ecosystem, authored by the same maintainer (neoziro); legitimate and expected.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance on npm by years; absence is expected and not a risk signal for this well-established package.	ai	2026/04/22
phantom-deps	phantom-dep:output-file-sync	AI (phantom-deps): Monorepo structure; deps declared at package level but used by sibling packages. Not a security concern.	ai	2026/04/22
phantom-deps	phantom-dep:commander	AI (phantom-deps): Monorepo structure; deps declared at package level but used by sibling packages (CLI). Not a security concern.	ai	2026/04/22
phantom-deps	phantom-dep:loader-utils	AI (phantom-deps): Monorepo structure; deps declared at package level but used by sibling packages (webpack loader). Not a security concern.	ai	2026/04/22
phantom-deps	phantom-dep:glob	AI (phantom-deps): Monorepo structure; deps declared at package level but used by sibling packages. Not a security concern.	ai	2026/04/22
phantom-deps	phantom-dep:recursive-readdir	AI (phantom-deps): Monorepo structure; deps declared at package level but used by sibling packages. Not a security concern.	ai	2026/04/22
phantom-deps	phantom-dep:mz	AI (phantom-deps): Monorepo structure; deps declared at package level but used by sibling packages (CLI, loader). Not a security concern.	ai	2026/04/22
typosquat	typosquat.levenshtein:cors	AI (typosquat): @svgr/core is a scoped package in the svgr ecosystem; the levenshtein match to 'cors' is coincidental and not a typosquat.	ai	2026/04/21

Versions (showing 39 of 39)

Version	Deps	Published
8.1.0	5 / 1	2023-08-15
8.0.0	5 / 1	2023-05-09
7.0.0	4 / 0	2023-03-24
6.5.1	5 / 1	2022-10-27
6.5.0	5 / 1	2022-10-14
6.4.0	4 / 1	2022-10-01
6.3.1	3 / 1	2022-07-22
6.3.0	3 / 1	2022-07-18
6.2.1	3 / 1	2022-01-30
6.2.0	3 / 1	2022-01-10
6.1.2	3 / 1	2021-12-12
6.1.1	3 / 1	2021-12-04
6.1.0	3 / 1	2021-12-01
6.0.0	3 / 1	2021-11-28
5.5.0	3 / 0	2020-11-15
5.4.0	3 / 0	2020-04-27
5.3.1	3 / 0	2020-04-05
5.3.0	3 / 0	2020-03-22
5.2.0	3 / 0	2020-02-23
5.0.1	3 / 0	2019-12-29
5.0.0	3 / 0	2019-12-23
4.3.3	3 / 0	2019-09-24
4.3.2	3 / 0	2019-07-15
4.3.1	3 / 0	2019-07-01
4.3.0	3 / 0	2019-05-28
4.2.0	3 / 0	2019-04-11
4.1.0	3 / 0	2018-11-24
4.0.3	3 / 0	2018-11-13
4.0.2	3 / 0	2018-11-08
4.0.1	3 / 0	2018-11-08
4.0.0	3 / 0	2018-11-04
3.1.0	7 / 0	2018-10-05
3.0.0	7 / 0	2018-10-01
2.4.1	7 / 0	2018-09-16
2.4.0	7 / 0	2018-09-16
2.2.0	6 / 0	2018-08-13
2.1.1	6 / 0	2018-07-11
2.1.0	6 / 0	2018-07-08
2.0.0	12 / 0	2018-06-12

v8.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.