rc-cascader
cascade select ui component for react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): zombiej is a known react-component org maintainer; transition from afc163 happened in 2022 and is stable. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): madccc is a known react-component org contributor; addition is consistent with the major v3 rewrite of this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): rc-tree, rc-select, and classnames are legitimate, well-known packages used as the architectural foundation for the v3 rewrite of rc-cascader. | ai | |
| phantom-deps | phantom-dep:array-tree-filter | AI (phantom-deps): array-tree-filter is a declared dependency used in the package's ecosystem; not a security concern. | ai | |
| dependencies | unvetted-dep:rc-select | AI (dependencies): rc-select is a well-known react-component ecosystem package and a natural runtime dependency for rc-cascader; not a risk signal for this package. | ai |
Versions (showing 71 of 71)
| Version | Deps | Published |
|---|---|---|
| 3.34.0 | 5 / 31 | |
| 3.33.1 | 5 / 31 | |
| 3.33.0 | 5 / 31 | |
| 3.31.0 | 5 / 31 | |
| 3.30.0 | 5 / 31 | |
| 3.29.1 | 5 / 31 | |
| 3.28.2 | 6 / 30 | |
| 3.28.0 | 6 / 30 | |
| 3.27.1 | 6 / 30 | |
| 3.26.0 | 6 / 29 | |
| 3.12.1 | 6 / 27 | |
| 3.10.3 | 6 / 27 | |
| 3.10.0 | 6 / 27 | |
| 3.7.3 | 6 / 22 | |
| 3.6.1 | 6 / 21 | |
| 3.6.0 | 6 / 20 | |
| 3.5.0 | 6 / 20 | |
| 2.3.3 | 7 / 19 | |
| 2.3.2 | 7 / 19 | |
| 2.3.1 | 7 / 19 | |
| 2.2.1 | 6 / 19 | |
| 1.5.0 | 5 / 20 | |
| 1.4.3 | 5 / 20 | |
| 1.4.2 | 5 / 17 | |
| 1.4.1 | 4 / 17 | |
| 1.3.0 | 4 / 17 | |
| 1.2.0 | 4 / 17 | |
| 1.1.0 | 4 / 17 | |
| 0.17.5 | 7 / 10 | |
| 0.17.4 | 7 / 10 | |
| 0.17.3 | 7 / 10 | |
| 0.16.0 | 6 / 9 | |
| 0.14.0 | 6 / 9 | |
| 0.13.1 | 5 / 9 | |
| 0.13.0 | 5 / 9 | |
| 0.12.2 | 5 / 9 | |
| 0.11.6 | 5 / 6 | |
| 0.11.5 | 5 / 6 | |
| 0.11.4 | 5 / 6 | |
| 0.11.2 | 4 / 7 | |
| 0.11.1 | 3 / 7 | |
| 0.11.0 | 3 / 7 | |
| 0.10.4 | 2 / 7 | |
| 0.10.3 | 2 / 7 | |
| 0.10.2 | 2 / 7 | |
| 0.10.1 | 2 / 7 | |
| 0.10.0 | 2 / 7 | |
| 0.9.11 | 2 / 7 | |
| 0.9.10 | 2 / 8 | |
| 0.9.9 | 2 / 8 | |
| 0.9.8 | 2 / 8 | |
| 0.9.7 | 2 / 8 | |
| 0.9.6 | 2 / 8 | |
| 0.9.5 | 2 / 8 | |
| 0.9.2 | 2 / 8 | |
| 0.9.1 | 2 / 8 | |
| 0.9.0 | 2 / 8 | |
| 0.8.1 | 2 / 8 | |
| 0.8.0 | 2 / 8 | |
| 0.7.0 | 2 / 8 | |
| 0.6.1 | 2 / 8 | |
| 0.6.0 | 2 / 8 | |
| 0.5.1 | 2 / 8 | |
| 0.5.0 | 2 / 8 | |
| 0.4.1 | 2 / 8 | |
| 0.4.0 | 2 / 8 | |
| 0.3.2 | 2 / 8 | |
| 0.3.1 | 2 / 8 | |
| 0.3.0 | 2 / 8 | |
| 0.2.0 | 2 / 8 | |
| 0.1.0 | 2 / 8 |
v3.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.29.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.28.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.1
2 findingsThis version was published by a different npm account than previous versions on 2022-06-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.