antd
An enterprise-class UI design language and React components implementation
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:rc-form-validation | AI (dependencies): rc-form-validation is a core Ant Design ecosystem package maintained by the same team; stable false positive for antd. | ai | |
| dependencies | unvetted-dep:rc-animate | AI (dependencies): rc-animate is a core Ant Design ecosystem package maintained by the same team; stable false positive for antd. | ai | |
| source-diff | obfuscated-file:lib/package.js | AI (source-diff): File is package metadata embedded as module export, not obfuscated code; standard build artifact for antd. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removal combined with additions reflects normal team evolution in established projects. | ai | |
| phantom-deps | phantom-dep:create-react-class | AI (phantom-deps): create-react-class is declared and referenced in config; not a hidden import. | ai | |
| dependencies | unvetted-dep:lodash.debounce | AI (dependencies): lodash.debounce is a well-known modular lodash utility. Not a security risk for antd. | ai | |
| dependencies | unvetted-dep:babel-runtime | AI (dependencies): babel-runtime is a standard Babel helper runtime, universally used in transpiled packages. Not a security risk for antd. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Missing description is expected for antd's initial placeholder v0.0.1; the package is a legitimate, widely-used UI library. | ai | |
| phantom-deps | phantom-dep:xhr2 | AI (phantom-deps): xhr2 is declared but referenced in config files; standard pattern for antd's build setup. | ai | |
| dependencies | unvetted-dep:react-slick2 | AI (dependencies): react-slick2 is a carousel component library used by antd; stable dependency. | ai | |
| dependencies | unvetted-dep:is-equal-shallow | AI (dependencies): is-equal-shallow is a small, well-known shallow equality utility with no security concerns; stable false positive for antd. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 8.1x source growth reflects new components and features in major version; expected for antd's development trajectory. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 108 new source files reflect legitimate component expansion in major version; consistent with antd's growth pattern. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions reflect legitimate project growth for an established framework; consistent with public GitHub history. | ai | |
| phantom-deps | phantom-dep:css-animation | AI (phantom-deps): Phantom dependency is expected for animation utilities referenced in config. | ai | |
| dependencies | unvetted-dep:reqwest-without-xhr2 | AI (dependencies): HTTP utility dependency appropriate for component library. | ai | |
| phantom-deps | phantom-dep:util-deprecate | AI (phantom-deps): Phantom dependency referenced in config but not directly imported; benign pattern in build tooling. | ai | |
| dependencies | unvetted-dep:gregorian-calendar | AI (dependencies): gregorian-calendar is a standard utility for antd's calendar components. | ai | |
| dependencies | unvetted-dep:rc-form | AI (dependencies): rc-form is a canonical React component dependency for antd; stable architectural choice. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): 21 new dependencies are legitimate rc-* component libraries and calendar utilities; consistent with UI framework expansion. | ai | |
| phantom-deps | phantom-dep:rc-trigger | AI (phantom-deps): rc-trigger is a transitive dependency of antd components; stable for this package. | ai | |
| dependencies | unvetted-dep:gregorian-calendar-format | AI (dependencies): gregorian-calendar-format is a standard utility for antd's calendar components. | ai | |
| dependencies | unvetted-dep:rc-dialog | AI (dependencies): rc-dialog is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-queue-anim | AI (dependencies): rc-queue-anim is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-util | AI (dependencies): rc-util is a core utility library for rc-* component ecosystem; stable dependency for antd. | ai | |
| dependencies | unvetted-dep:rc-time-picker | AI (dependencies): rc-time-picker is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-tree-select | AI (dependencies): rc-tree-select is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-slider | AI (dependencies): rc-slider is a standard rc-* component; expected dependency for antd's slider component. | ai | |
| dependencies | unvetted-dep:array-tree-filter | AI (dependencies): array-tree-filter is a standard utility dependency for antd; stable across versions. | ai | |
| dependencies | unvetted-dep:rc-cascader | AI (dependencies): rc-cascader is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-collapse | AI (dependencies): rc-collapse is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-progress | AI (dependencies): rc-progress is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-pagination | AI (dependencies): rc-pagination is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-tooltip | AI (dependencies): rc-tooltip is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-calendar | AI (dependencies): rc-calendar is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-checkbox | AI (dependencies): rc-checkbox is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-input-number | AI (dependencies): rc-input-number is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-notification | AI (dependencies): rc-notification is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-table | AI (dependencies): rc-table is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-select | AI (dependencies): rc-select is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:rc-upload | AI (dependencies): rc-upload is a canonical React component dependency for antd; stable architectural choice. | ai | |
| dependencies | unvetted-dep:css-animation | AI (dependencies): css-animation is a standard utility dependency for antd's animation features. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore adoption; no provenance expected for 2015-era releases. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change in 2015 represents normal maintainer transition; no compromise indicators present. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in useProxyImperativeHandle.js is a legitimate proxy pattern used in the real antd codebase; not a malware indicator for this package. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 0.12.16 | 38 / 52 | |
| 0.12.15 | 38 / 52 | |
| 0.12.12 | 38 / 51 | |
| 0.12.11 | 38 / 51 | |
| 0.12.6 | 38 / 50 | |
| 0.12.4 | 38 / 48 | |
| 0.12.1 | 38 / 46 | |
| 0.10.3 | 37 / 33 | |
| 0.10.1 | 36 / 31 | |
| 0.10.0 | 36 / 31 | |
| 0.9.4 | 34 / 25 | |
| 0.9.1 | 32 / 24 | |
| 0.9.0 | 32 / 24 | |
| 0.7.3 | 21 / 18 | |
| 0.7.2 | 21 / 18 | |
| 0.7.1 | 21 / 18 | |
| 0.7.0 | 21 / 18 |
v0.12.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.