rc-table — Greenflagged

table ui component for react

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

benjycuiyesmeckafc163yiminghedxq613paranoidjkzombiejxrkffggmadccc

Keywords

reactreact-tabletablecomponentui

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:browserify-jsx	AI (dependencies): browserify-jsx is a build-time JSX transform tool used in browserify config only; not a runtime dependency with security implications for consumers of rc-table.	ai	2026/04/24
phantom-deps	phantom-dep:rc-util	AI (phantom-deps): rc-util is a legitimate dependency used transitively in rc-table; phantom-dep warnings are expected for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:shallowequal	AI (phantom-deps): shallowequal is a legitimate dependency used transitively; phantom-dep warnings are expected for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:lodash.get	AI (phantom-deps): lodash.get is a legitimate dependency used transitively; phantom-dep warnings are expected for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:warning	AI (phantom-deps): warning is a legitimate dependency used transitively; phantom-dep warnings are expected for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:mini-store	AI (phantom-deps): mini-store is properly declared in dependencies; phantom-dep on stable packages is a false positive.	ai	2026/04/24
phantom-deps	phantom-dep:react-lifecycles-compat	AI (phantom-deps): react-lifecycles-compat is properly declared in dependencies; phantom-dep on stable packages is a false positive.	ai	2026/04/24
phantom-deps	phantom-dep:component-classes	AI (phantom-deps): component-classes is properly declared in dependencies; phantom-dep on stable packages is a false positive.	ai	2026/04/24
phantom-deps	phantom-dep:prop-types	AI (phantom-deps): prop-types is properly declared in dependencies; phantom-dep on stable packages is a false positive.	ai	2026/04/24
phantom-deps	phantom-dep:lodash	AI (phantom-deps): Lodash is properly declared in dependencies and used indirectly; phantom-dep on stable packages is a false positive.	ai	2026/04/24
source-diff	net-exec-file:dist/rc-table.min.js	AI (source-diff): Minified webpack UMD bundle; same false positive pattern as the non-minified dist file. Stable for this package.	ai	2026/04/24
source-diff	net-exec-file:dist/rc-table.js	AI (source-diff): Standard webpack UMD bundle for a React component library; call() and network patterns are from webpack runtime and bundled deps, not malicious.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): rc-table grew from v3.x to v7.x; large file count increase reflects years of legitimate feature development, not injected code.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): All new deps (classnames, rc-util, rc-virtual-list, rc-resize-observer, @babel/runtime, @rc-component/context) are legitimate react-component ecosystem packages.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Size increase from 9KB to 385KB reflects major version evolution (v3→v7) with TypeScript, virtual list, and other features added over years.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): yiminghe is a known Alibaba/Ant Design contributor and co-maintainer in the same react-component org; transition from dxq613 is a legitimate handoff within the same organization.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package was published in 2015, well before Sigstore provenance was available; no-provenance is expected for this era.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): yiminghe is a long-standing ecosystem contributor (first seen ~4157 days ago) and is listed as a co-maintainer in package.json; addition is legitimate.	ai	2026/04/22
phantom-deps	phantom-dep:browserify-shim	AI (phantom-deps): browserify-shim is declared in dependencies and referenced in browserify-shim config — not a phantom dep, just an indirect usage pattern.	ai	2026/04/22
phantom-deps	phantom-dep:browserify-jsx	AI (phantom-deps): browserify-jsx is declared in dependencies and referenced in browserify transform config — not a phantom dep, just an indirect usage pattern.	ai	2026/04/22
install-scripts	install-script:install	AI (install-scripts): Install script runs 'gulp config', a standard build configuration step in this package's documented workflow. No network fetching or malicious behavior.	ai	2026/04/22
semgrep	semgrep:child-process-exec	AI (semgrep): cp.exec in gulpfile.js runs git commands for release tagging — standard dev tooling, not reachable at install or runtime.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used only in gulpfile.js for dev tooling (git tagging). Not reachable during normal install or runtime.	ai	2026/04/22

Versions (showing 100 of 414)

Version	Deps	Published
7.21.1	5 / 35	2022-01-02
7.21.0	5 / 35	2021-12-01
7.20.5	5 / 34	2021-11-30
7.20.4	5 / 34	2021-11-29
7.20.3	5 / 34	2021-11-26
7.20.2	5 / 34	2021-11-25
7.20.1	5 / 34	2021-11-25
7.20.0	5 / 34	2021-11-25
7.19.2	5 / 35	2021-11-16
7.19.1	5 / 35	2021-11-04
7.19.0	5 / 35	2021-10-19
7.18.1	5 / 35	2021-09-15
7.18.0	5 / 35	2021-09-15
7.17.2	5 / 35	2021-09-01
7.17.1	5 / 35	2021-07-15
7.17.0	5 / 35	2021-06-10
7.16.3	5 / 35	2021-06-06
7.16.2	5 / 35	2021-05-31
7.16.1	5 / 35	2021-05-29
7.16.0	5 / 35	2021-05-27
7.15.2	5 / 35	2021-05-31
7.15.1	5 / 35	2021-05-24
7.15.0	5 / 35	2021-05-24
7.14.1	5 / 35	2021-05-20
7.14.0	5 / 35	2021-03-30
7.13.3	5 / 35	2021-03-18
7.13.2	5 / 35	2021-03-11
7.13.1	5 / 35	2021-01-28
7.13.0	5 / 35	2021-01-27
7.12.5	5 / 35	2021-01-27
7.12.4	5 / 35	2021-01-27
7.12.3	5 / 35	2020-12-25
7.12.2	5 / 35	2020-12-11
7.12.1	5 / 35	2020-12-08
7.12.0	5 / 35	2020-12-08
7.11.3	5 / 31	2020-11-25
7.11.2	5 / 31	2020-11-16
7.11.1	5 / 31	2020-10-30
7.11.0	5 / 31	2020-10-26
7.10.4	5 / 31	2020-10-30
7.10.3	5 / 31	2020-10-21
7.10.2	5 / 31	2020-10-10
7.10.1	6 / 30	2020-10-09
7.10.0	6 / 30	2020-09-30
7.9.10	6 / 30	2020-09-17
7.9.9	6 / 30	2020-09-16
7.9.8	6 / 30	2020-09-14
7.9.7	6 / 30	2020-09-02
7.9.6	6 / 30	2020-08-28
7.9.5	6 / 30	2020-08-25
7.9.4	6 / 30	2020-08-19
7.9.3	6 / 30	2020-08-11
7.9.2	6 / 30	2020-08-07
7.9.1	6 / 30	2020-08-04
7.9.0	6 / 30	2020-07-31
7.8.6	6 / 30	2020-07-22
7.8.5	6 / 30	2020-07-22
7.8.4	6 / 30	2020-07-04
7.8.3	6 / 30	2020-07-02
7.8.2	6 / 30	2020-07-01
7.8.1	6 / 30	2020-06-28
7.8.0	6 / 30	2020-06-12
7.7.2	6 / 30	2020-05-29
7.7.1	5 / 29	2020-05-21
7.7.0	5 / 28	2020-05-10
7.6.7	5 / 27	2020-05-09
7.6.6	5 / 27	2020-05-07
7.6.4	9 / 27	2020-05-07
7.6.3	9 / 27	2020-05-06
7.6.2	9 / 27	2020-05-06
7.6.1	9 / 27	2020-05-06
7.6.0	9 / 27	2020-05-05
7.5.10	5 / 28	2020-05-21
7.5.9	5 / 27	2020-05-09
7.5.8	5 / 27	2020-05-07
7.5.7	9 / 27	2020-05-07
7.5.6	9 / 27	2020-05-06
7.5.5	9 / 27	2020-05-06
7.5.4	9 / 27	2020-05-06
7.5.3	9 / 27	2020-05-01
7.5.2	9 / 27	2020-04-29
7.5.1	9 / 27	2020-04-28
7.5.0	9 / 27	2020-04-26
7.4.5	9 / 27	2020-04-18
7.4.4	9 / 27	2020-04-08
7.4.3	9 / 27	2020-04-01
7.4.2	9 / 27	2020-04-01
7.4.1	9 / 27	2020-04-01
7.4.0	9 / 27	2020-04-01
7.3.14	10 / 27	2020-03-27
7.3.13	10 / 27	2020-03-26
7.3.12	10 / 27	2020-03-25
7.3.11	10 / 27	2020-03-25
7.3.10	10 / 27	2020-03-23
7.3.9	10 / 27	2020-03-22
7.3.8	10 / 27	2020-03-16
7.3.7	10 / 27	2020-03-16
7.3.6	10 / 27	2020-03-13
7.3.5	10 / 27	2020-03-11
7.3.4	10 / 27	2020-03-10

Showing 100 of 414 Next page →