All echarts-for-react versions

[email protected] rejected Risk: 63 No license

echarts-for-react @3.0.7

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
63
Risk Score
License
Yes
Install Scripts
2
Dependencies
31
Dev Dependencies
81.3 KB
Package Size
Published

Maintainers

atool

Keywords

reactcomponentecharts-reactechartsreact-echartschartchartsgraphreact-component

Dependencies (2)

PackageConstraintRegistry Status
size-sensor ^1.0.1 auto_approved
fast-deep-equal ^3.1.3 auto_approved

Dev Dependencies (31)

PackageConstraintRegistry Status
miz ^1.0.1 Not imported
dumi ^1.1.6 No greenflagged match
jest ^24.0.0 auto_approved
husky ^5.1.1 auto_approved
eslint ^7.20.0 auto_approved
rimraf ^3.0.2 auto_approved
echarts ^6.0.0 auto_approved
ts-jest ^24.0.2 No greenflagged match
gh-pages ^3.1.0 auto_approved
prettier ^2.2.1 auto_approved
cross-env ^7.0.3 auto_approved
ts-loader ^8.0.17 No greenflagged match
echarts-gl ^2.0.2 auto_approved
typescript ^4.2.2 auto_approved
@types/jest ^24.0.0 No greenflagged match
@types/node ^14.14.31 auto_approved
lint-md-cli ^0.1.2 Not imported
lint-staged ^10.5.4 auto_approved
npm-run-all ^4.1.5 auto_approved
@types/react ^17.0.2 auto_approved
jest-electron ^0.1.11 Not imported
@commitlint/cli ^12.0.0 No greenflagged match
jest-canvas-mock ^2.3.1 auto_approved
lodash.clonedeep ^4.5.0 auto_approved
dumi-theme-default ^1.0.6 Not imported
eslint-plugin-import ^2.22.1 auto_approved
eslint-config-prettier ^8.1.0 auto_approved
eslint-plugin-prettier ^3.3.1 auto_approved
@typescript-eslint/parser ^4.15.2 auto_approved
@commitlint/config-angular ^12.0.0 No greenflagged match
@typescript-eslint/eslint-plugin ^4.15.2 auto_approved

Transitive Dependency Tree

2 transitive deps max depth 1
  ├─ fast-deep-equal ^3.1.3 → 3.1.3
  ├─ size-sensor ^1.0.1 → 1.0.3

Changes from v3.0.6

No metadata changes detected.

File Changes

0 added 0 removed 1 modified size delta: +.1 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
url-dep:@antv/setup npm-metadata reject AI AI (npm-metadata): Illegitimate GitHub SHA dep in optionalDependencies; echarts-for-react has no reason to depend on @antv/setup.

SAST Findings (3)

HIGH SHA-pinned github dependency (optionalDependencies): @antv/setup npm-metadata

Dependency '@antv/setup' in `optionalDependencies` points to 'github:antvis/G2#7cb42f57561c321ecb09b4552802ae0ac55b3a7a' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atool.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 63. Findings: 2 high (+50), 1 medium (+10), 1 low (+3).

Published to npm: