rc-menu
menu ui component for react
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
benjycuiyesmeckafc163yiminghewarmhugvalleykidzombiejpicodothchenshuai2144madccc
Keywords
reactreact-componentmenuuireact-menu
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:ismobilejs | AI (dependencies): ismobilejs is a well-known mobile detection library; its use in a UI menu component for touch/mobile handling is legitimate and expected. | ai | |
| phantom-deps | phantom-dep:rc-util | AI (phantom-deps): rc-util is a legitimate declared dependency used internally by rc-menu; phantom-dep detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:rc-animate | AI (phantom-deps): rc-animate is a legitimate declared dependency for menu animations; phantom-dep detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:object-assign | AI (phantom-deps): object-assign is a legitimate declared dependency used as ES6 polyfill; phantom-dep detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:dom-scroll-into-view | AI (phantom-deps): dom-scroll-into-view is a legitimate declared dependency for menu scroll behavior; phantom-dep detection is a false positive for this package. | ai | |
| source-diff | obfuscated-file:es/util.d.ts | AI (source-diff): TypeScript declaration file with long CSS property union type — not obfuscated code. This pattern is stable for rc-menu's build output. | ai | |
| source-diff | obfuscated-file:lib/util.d.ts | AI (source-diff): TypeScript declaration file with long CSS property union type — not obfuscated code. This pattern is stable for rc-menu's build output. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from yiminghe to warmhug occurred in 2016 (~9 years ago); warmhug has a clean track record (4 approved, 0 rejected). This is a stable, legitimate maintainer transition for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The three added deps (rc-util, object-assign, dom-scroll-into-view) are all legitimate, well-known packages consistent with a React menu component's functionality. No malicious signal. | ai | |
| phantom-deps | phantom-dep:browserify-jsx | AI (phantom-deps): Intentionally declared for browserify config; not a runtime import. Pattern is stable for this package's era and build setup. | ai | |
| dependencies | unvetted-dep:browserify-jsx | AI (dependencies): browserify-jsx is a build-time browserify transform referenced only in config, not imported at runtime. Confirmed phantom dep. No execution risk for consumers of rc-menu. | ai | |
| dependencies | unvetted-dep:browserify-shim | AI (dependencies): browserify-shim is a build-time browserify transform referenced only in config, not imported at runtime. Confirmed phantom dep. No execution risk for consumers of rc-menu. | ai | |
| phantom-deps | phantom-dep:browserify-shim | AI (phantom-deps): Intentionally declared for browserify config; not a runtime import. Pattern is stable for this package's era and build setup. | ai | |
| dependencies | unvetted-dep:rc-overflow | AI (dependencies): rc-overflow is a react-component org package, expected dependency for rc-menu's overflow handling. | ai | |
| provenance | no-provenance | AI (provenance): rc-menu is a long-established react-component org package; lack of Sigstore provenance is common and not a security concern for this package. | ai | |
| dependencies | unvetted-dep:rc-util | AI (dependencies): rc-util is a core react-component ecosystem utility package, expected dependency for rc-menu. | ai | |
| dependencies | unvetted-dep:rc-motion | AI (dependencies): rc-motion is a standard react-component animation package, expected dependency for rc-menu. | ai | |
| dependencies | unvetted-dep:@rc-component/trigger | AI (dependencies): @rc-component/trigger is the standard popup trigger package from the same org, expected for rc-menu's submenu functionality. | ai |
Versions (showing 51 of 223)
| Version | Deps | Published |
|---|---|---|
| 9.16.0 | 6 / 25 | |
| 9.15.1 | 6 / 22 | |
| 9.15.0 | 6 / 22 | |
| 9.14.1 | 6 / 21 | |
| 9.14.0 | 6 / 21 | |
| 9.13.0 | 6 / 21 | |
| 9.12.4 | 6 / 21 | |
| 9.12.3 | 6 / 19 | |
| 9.12.2 | 6 / 19 | |
| 9.12.1 | 6 / 19 | |
| 9.12.0 | 6 / 19 | |
| 9.11.1 | 6 / 19 | |
| 9.11.0 | 6 / 19 | |
| 9.10.0 | 6 / 19 | |
| 9.9.2 | 6 / 19 | |
| 9.9.1 | 6 / 19 | |
| 9.9.0 | 6 / 19 | |
| 9.8.4 | 6 / 19 | |
| 9.8.3 | 6 / 19 | |
| 9.8.2 | 6 / 19 | |
| 9.8.1 | 7 / 19 | |
| 9.8.0 | 7 / 19 | |
| 9.7.2 | 7 / 19 | |
| 9.7.1 | 7 / 19 | |
| 9.7.0 | 7 / 19 | |
| 9.6.4 | 7 / 18 | |
| 9.6.3 | 7 / 18 | |
| 9.6.2 | 7 / 18 | |
| 9.6.1 | 7 / 18 | |
| 9.6.0 | 7 / 20 | |
| 9.5.5 | 7 / 20 | |
| 9.5.4 | 7 / 20 | |
| 9.5.3 | 7 / 20 | |
| 9.5.2 | 7 / 20 | |
| 9.5.1 | 7 / 20 | |
| 9.1.1 | 7 / 20 | |
| 9.1.0 | 7 / 20 | |
| 9.0.14 | 7 / 20 | |
| 9.0.13 | 7 / 20 | |
| 9.0.12 | 7 / 20 | |
| 9.0.11 | 7 / 20 | |
| 9.0.10 | 7 / 20 | |
| 9.0.9 | 7 / 20 | |
| 9.0.8 | 7 / 20 | |
| 9.0.7 | 7 / 20 | |
| 9.0.6 | 7 / 20 | |
| 9.0.5 | 7 / 20 | |
| 9.0.4 | 7 / 20 | |
| 9.0.3 | 7 / 20 | |
| 9.0.2 | 7 / 20 | |
| 8.10.8 | 8 / 18 |