← Home

rc-css-transition-group

npm Repository Homepage

css-transition-group ui component for react

9
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

yiminghe

Keywords

reactreact-componentreact-css-transition-groupcss-transition-group

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:browserify-jsx AI (dependencies): browserify-jsx is a legitimate Browserify JSX transform declared in the package's browserify config; its use as a dependency is intentional and stable for this package. ai
phantom-deps phantom-dep:browserify-jsx AI (phantom-deps): browserify-jsx is used as a Browserify transform in package.json config, not via require(); this pattern is expected and not a real phantom dependency. ai
phantom-deps phantom-dep:browserify-shim AI (phantom-deps): browserify-shim is used as a Browserify transform/shim in package.json config, not via require(); this pattern is expected and not a real phantom dependency. ai
provenance no-provenance AI (provenance): Package predates Sigstore provenance by years; absence is expected for this legacy package and not a risk signal. ai

Versions (showing 9 of 9)

Version Deps Published
2.1.4 0 / 6
2.1.3 0 / 6
2.1.2 0 / 6
2.1.1 0 / 6
2.1.0 0 / 6
2.0.0 0 / 6
1.0.2 0 / 5
1.0.1 2 / 6
1.0.0 2 / 6

v2.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.