@umijs/plugins
@umijs/plugins
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Established UmiJS monorepo package; no material changes from prior version; publisher has approved track record. | ai | |
| dependencies | unvetted-dep:dva-immer | AI (dependencies): Known UmiJS ecosystem dependency; stable across versions of this package. | ai | |
| dependencies | unvetted-dep:dva-core | AI (dependencies): Known UmiJS ecosystem dependency; stable across versions of this package. | ai | |
| dependencies | unvetted-dep:dva-loading | AI (dependencies): Known UmiJS ecosystem dependency; stable across versions of this package. | ai | |
| dependencies | unvetted-dep:@umijs/valtio | AI (dependencies): First-party @umijs scoped package; stable for this package. | ai | |
| dependencies | unvetted-dep:@umijs/bundler-utils | AI (dependencies): First-party @umijs scoped package; stable for this package. | ai | |
| dependencies | unvetted-dep:antd-dayjs-webpack-plugin | AI (dependencies): Known Ant Design ecosystem plugin; stable for this package. | ai | |
| dependencies | unvetted-dep:@ant-design/antd-theme-variable | AI (dependencies): Known Ant Design scoped package; stable for this package. | ai | |
| dependencies | unvetted-dep:@ant-design/moment-webpack-plugin | AI (dependencies): Known Ant Design scoped package; stable for this package. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Plugin package; referenced in generated config/templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query-devtools | AI (phantom-deps): Plugin package; referenced in generated config/templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:styled-components | AI (phantom-deps): Plugin package; referenced in generated config/templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:moment | AI (phantom-deps): Plugin package; referenced in generated config/templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): Known implicit runtime dependency for TypeScript compiled output. | ai | |
| phantom-deps | phantom-dep:@ant-design/pro-components | AI (phantom-deps): Plugin package; dependency is injected into user projects, not directly imported. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo package; sparse metadata is consistent across all @umijs/* packages. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 4.6.56 | 30 / 2 | |
| 4.6.55 | 30 / 2 | |
| 4.6.54 | 30 / 2 | |
| 4.6.53 | 30 / 2 | |
| 4.6.52 | 30 / 2 | |
| 4.6.51 | 30 / 2 | |
| 4.6.50 | 30 / 2 | |
| 4.6.49 | 30 / 2 | |
| 4.6.48 | 30 / 2 | |
| 4.6.47 | 30 / 2 | |
| 4.6.46 | 30 / 2 | |
| 4.6.45 | 30 / 2 | |
| 4.6.44 | 30 / 2 | |
| 4.6.43 | 30 / 2 | |
| 4.6.42 | 30 / 2 | |
| 4.6.41 | 30 / 2 | |
| 4.6.40 | 30 / 2 | |
| 4.6.39 | 30 / 2 | |
| 4.6.38 | 30 / 2 | |
| 4.6.37 | 30 / 2 | |
| 4.6.14 | 30 / 2 | |
| 4.6.13 | 30 / 2 | |
| 4.6.12 | 30 / 2 | |
| 4.6.11 | 30 / 2 | |
| 4.6.10 | 30 / 2 | |
| 4.6.9 | 30 / 2 | |
| 4.6.8 | 30 / 2 | |
| 4.6.7 | 30 / 2 | |
| 4.6.6 | 30 / 2 | |
| 4.6.5 | 30 / 2 | |
| 4.6.4 | 30 / 2 | |
| 4.6.3 | 30 / 2 | |
| 4.6.2 | 30 / 2 | |
| 4.6.1 | 30 / 2 | |
| 4.5.3 | 30 / 2 | |
| 4.5.1 | 30 / 2 | |
| 4.5.0 | 30 / 2 | |
| 4.4.12 | 30 / 2 | |
| 4.4.11 | 30 / 2 |
v4.6.56
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.54
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.53
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.52
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.48
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.47
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zoomdong07) than the most recent previously approved version (peachscript) on 2025-12-10, but zoomdong07 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.6.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zoomdong07) than the most recent previously approved version (peachscript) on 2025-12-05, but zoomdong07 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.6.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zoomdong07) than the most recent previously approved version (peachscript) on 2025-12-03, but zoomdong07 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.6.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zoomdong07) than the most recent previously approved version (peachscript) on 2025-12-03, but zoomdong07 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.6.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zoomdong07) than the most recent previously approved version (peachscript) on 2025-12-02, but zoomdong07 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.6.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zoomdong07) than the most recent previously approved version (peachscript) on 2025-12-02, but zoomdong07 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.5.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2025-10-21, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.5.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2025-09-25, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (peachscript) than the most recent previously approved version (sorrycc) on 2025-09-18, but peachscript is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.4.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.