rc-notification
notification ui component for react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/rc-notification.js | AI (source-diff): Standard webpack UMD bundle; 'network+exec' is false positive from webpack boilerplate patterns. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Major version bump added dist/ bundles and compiled output; size increase is expected. | ai | |
| source-diff | net-exec-file:dist/rc-notification.min.js | AI (source-diff): Minified webpack UMD bundle; same false positive as the non-minified version. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): yiminghe's removal is part of the long-standing Ant Design team transition for the react-component org. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Ant Design team (benjycui, afc163, zombiej, madccc) legitimately maintains the react-component org; yiminghe was the original creator who handed off. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): All added maintainers are established Ant Design team members with extensive npm track records. | ai | |
| — | publisher-changed | — | sean | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps rc-animate and rc-util are canonical react-component ecosystem packages from the same org/maintainer; not a supply-chain risk for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 2.3M weekly downloads published long before Sigstore provenance was available on npm. Absence is expected and not a risk signal here. | ai | |
| dependencies | unvetted-dep:rc-animate | AI (dependencies): rc-animate is a sibling react-component org package, a standard and expected dependency for this UI component. Not a security concern. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 5.6.4 | 4 / 24 | |
| 5.6.3 | 4 / 24 | |
| 5.6.2 | 4 / 24 | |
| 5.6.1 | 4 / 24 | |
| 5.6.0 | 4 / 24 | |
| 5.5.0 | 4 / 24 | |
| 5.4.0 | 4 / 24 | |
| 5.3.0 | 4 / 24 | |
| 5.2.0 | 4 / 24 | |
| 5.1.1 | 4 / 24 | |
| 5.1.0 | 4 / 24 | |
| 5.0.5 | 4 / 19 | |
| 5.0.4 | 4 / 19 | |
| 5.0.3 | 4 / 19 | |
| 5.0.2 | 4 / 19 | |
| 5.0.1 | 4 / 19 | |
| 5.0.0 | 4 / 19 | |
| 4.6.1 | 4 / 19 | |
| 4.6.0 | 4 / 19 | |
| 4.5.7 | 4 / 17 | |
| 4.5.6 | 4 / 17 | |
| 4.5.5 | 4 / 15 | |
| 4.5.4 | 4 / 15 | |
| 4.5.3 | 4 / 15 | |
| 4.5.2 | 4 / 15 | |
| 4.5.1 | 4 / 15 | |
| 4.5.0 | 4 / 14 | |
| 2.0.4 | 5 / 6 | |
| 1.3.4 | 3 / 6 | |
| 1.3.3 | 3 / 6 | |
| 1.0.1 | 1 / 5 | |
| 1.0.0 | 1 / 5 |
v5.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.0
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej, madccc). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-03-04. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.0
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej, madccc). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-23. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.0
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej, madccc). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.1
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej, madccc). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-29. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.0
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej, madccc). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-29. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.5
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-07-20. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.4
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.3
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-10. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.2
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.1
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.0
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-29. This could indicate a legitimate maintainer transition or an account compromise.
v4.6.1
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-01. This could indicate a legitimate maintainer transition or an account compromise.
v4.6.0
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-14. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.7
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-05-30. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.6
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-05-28. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.5
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.4
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-10-30. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.3
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-10-30. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.2
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.1
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.0
3 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (benjycui, yesmeck, afc163, valleykid, nikogu, paranoidjk, zombiej). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.4
5 findingsAll previous maintainers (yiminghe) were replaced by new maintainers (paranoidjk). This is a strong signal of a potential package hijack and requires careful review.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-07-31. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.