rc-steps
steps ui component for react
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
benjycuiyesmeckzhujun24afc163yuhanggeyimingheddcat1115zombiej07akionimadccc
Keywords
reactreact-componentreact-steps
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/umi.js | AI (source-diff): Network+exec pattern triggered by webpack dynamic require machinery and core-js polyfills in the docs bundle, not actual dropper/loader behavior. | ai | |
| phantom-deps | phantom-dep:rc-util | AI (phantom-deps): rc-util is a legitimate runtime dependency in the rc-* ecosystem; phantom-dep detection is a false positive here. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely due to addition of dumi documentation site bundle (dist/umi.js 730KB + dist/umi.css 75KB), not injected payload. | ai | |
| source-diff | obfuscated-file:dist/umi.js | AI (source-diff): dist/umi.js is a dumi documentation site webpack bundle, not library code. Minified webpack output is expected and not malicious for this rc-* docs artifact. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): classnames is a canonical, widely-trusted React ecosystem utility. Its addition to a React UI component is entirely expected and benign. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): afc163 and yiminghe are known react-component org maintainers. This is a legitimate org-level maintainer addition from 2016, not a suspicious takeover. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from zhujun24 to afc163 occurred in Jan 2016; afc163 is a well-established react-component org maintainer with 1138 approved packages. Legitimate transition. | ai | |
| phantom-deps | phantom-dep:rc-css-transition-group | AI (phantom-deps): rc-css-transition-group is a legitimate react-component ecosystem package declared as a runtime dependency; phantom-dep finding reflects older build tooling patterns, not a real risk. | ai | |
| provenance | no-provenance | AI (provenance): rc-steps is a long-established react-component org package; lack of Sigstore provenance is common for this ecosystem and not a meaningful risk signal here. | ai |
Versions (showing 51 of 68)
| Version | Deps | Published |
|---|---|---|
| 6.0.1 | 3 / 27 | |
| 6.0.0 | 3 / 27 | |
| 5.0.0 | 3 / 26 | |
| 4.1.4 | 3 / 21 | |
| 4.1.3 | 3 / 21 | |
| 4.1.2 | 3 / 21 | |
| 4.1.0 | 3 / 21 | |
| 4.0.1 | 3 / 21 | |
| 4.0.0 | 3 / 21 | |
| 3.6.0 | 2 / 14 | |
| 3.5.0 | 4 / 13 | |
| 3.4.1 | 4 / 12 | |
| 3.4.0 | 4 / 12 | |
| 3.3.1 | 4 / 12 | |
| 3.3.0 | 4 / 12 | |
| 3.2.1 | 4 / 12 | |
| 3.2.0 | 4 / 12 | |
| 3.1.1 | 4 / 12 | |
| 3.1.0 | 4 / 12 | |
| 3.0.1 | 4 / 12 | |
| 3.0.0 | 4 / 11 | |
| 2.5.2 | 3 / 5 | |
| 2.5.1 | 3 / 5 | |
| 2.5.0 | 2 / 5 | |
| 2.4.3 | 2 / 5 | |
| 2.4.2 | 2 / 5 | |
| 2.4.1 | 1 / 5 | |
| 2.4.0 | 1 / 5 | |
| 2.3.0 | 1 / 5 | |
| 2.2.4 | 1 / 5 | |
| 2.2.3 | 1 / 5 | |
| 2.2.2 | 1 / 5 | |
| 2.2.1 | 1 / 5 | |
| 2.2.0 | 1 / 5 | |
| 2.1.5 | 1 / 5 | |
| 2.1.4 | 1 / 5 | |
| 2.1.3 | 1 / 5 | |
| 2.1.2 | 1 / 5 | |
| 2.1.1 | 1 / 5 | |
| 2.1.0 | 1 / 5 | |
| 2.0.0 | 1 / 5 | |
| 1.5.4 | 1 / 5 | |
| 1.5.3 | 1 / 5 | |
| 1.5.2 | 1 / 5 | |
| 1.5.1 | 1 / 5 | |
| 1.5.0 | 1 / 5 | |
| 1.4.4 | 1 / 6 | |
| 1.4.3 | 1 / 6 | |
| 1.4.2 | 1 / 6 | |
| 1.4.1 | 0 / 6 | |
| 1.4.0 | 0 / 6 |