rc-menu
menu ui component for react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:ismobilejs | AI (dependencies): ismobilejs is a well-known mobile detection library; its use in a UI menu component for touch/mobile handling is legitimate and expected. | ai | |
| phantom-deps | phantom-dep:rc-util | AI (phantom-deps): rc-util is a legitimate declared dependency used internally by rc-menu; phantom-dep detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:rc-animate | AI (phantom-deps): rc-animate is a legitimate declared dependency for menu animations; phantom-dep detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:object-assign | AI (phantom-deps): object-assign is a legitimate declared dependency used as ES6 polyfill; phantom-dep detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:dom-scroll-into-view | AI (phantom-deps): dom-scroll-into-view is a legitimate declared dependency for menu scroll behavior; phantom-dep detection is a false positive for this package. | ai | |
| source-diff | obfuscated-file:es/util.d.ts | AI (source-diff): TypeScript declaration file with long CSS property union type — not obfuscated code. This pattern is stable for rc-menu's build output. | ai | |
| source-diff | obfuscated-file:lib/util.d.ts | AI (source-diff): TypeScript declaration file with long CSS property union type — not obfuscated code. This pattern is stable for rc-menu's build output. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from yiminghe to warmhug occurred in 2016 (~9 years ago); warmhug has a clean track record (4 approved, 0 rejected). This is a stable, legitimate maintainer transition for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The three added deps (rc-util, object-assign, dom-scroll-into-view) are all legitimate, well-known packages consistent with a React menu component's functionality. No malicious signal. | ai | |
| phantom-deps | phantom-dep:browserify-jsx | AI (phantom-deps): Intentionally declared for browserify config; not a runtime import. Pattern is stable for this package's era and build setup. | ai | |
| dependencies | unvetted-dep:browserify-jsx | AI (dependencies): browserify-jsx is a build-time browserify transform referenced only in config, not imported at runtime. Confirmed phantom dep. No execution risk for consumers of rc-menu. | ai | |
| dependencies | unvetted-dep:browserify-shim | AI (dependencies): browserify-shim is a build-time browserify transform referenced only in config, not imported at runtime. Confirmed phantom dep. No execution risk for consumers of rc-menu. | ai | |
| phantom-deps | phantom-dep:browserify-shim | AI (phantom-deps): Intentionally declared for browserify config; not a runtime import. Pattern is stable for this package's era and build setup. | ai | |
| dependencies | unvetted-dep:rc-overflow | AI (dependencies): rc-overflow is a react-component org package, expected dependency for rc-menu's overflow handling. | ai | |
| provenance | no-provenance | AI (provenance): rc-menu is a long-established react-component org package; lack of Sigstore provenance is common and not a security concern for this package. | ai | |
| dependencies | unvetted-dep:rc-util | AI (dependencies): rc-util is a core react-component ecosystem utility package, expected dependency for rc-menu. | ai | |
| dependencies | unvetted-dep:rc-motion | AI (dependencies): rc-motion is a standard react-component animation package, expected dependency for rc-menu. | ai | |
| dependencies | unvetted-dep:@rc-component/trigger | AI (dependencies): @rc-component/trigger is the standard popup trigger package from the same org, expected for rc-menu's submenu functionality. | ai |
Versions (showing 23 of 223)
| Version | Deps | Published |
|---|---|---|
| 3.2.3 | 2 / 9 | |
| 3.2.2 | 2 / 9 | |
| 3.2.1 | 2 / 9 | |
| 3.2.0 | 2 / 9 | |
| 3.1.1 | 2 / 9 | |
| 3.1.0 | 2 / 9 | |
| 3.0.1 | 3 / 9 | |
| 3.0.0 | 3 / 9 | |
| 2.2.4 | 5 / 15 | |
| 2.2.2 | 5 / 7 | |
| 2.2.1 | 5 / 7 | |
| 2.2.0 | 3 / 7 | |
| 2.1.2 | 2 / 7 | |
| 2.1.1 | 2 / 7 | |
| 2.1.0 | 2 / 7 | |
| 2.0.4 | 2 / 7 | |
| 2.0.3 | 2 / 7 | |
| 2.0.2 | 2 / 7 | |
| 2.0.1 | 2 / 7 | |
| 2.0.0 | 2 / 7 | |
| 1.0.3 | 2 / 6 | |
| 1.0.2 | 2 / 6 | |
| 1.0.1 | 2 / 6 |
v2.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.