← Home

rc-tabs

npm Repository Homepage

tabs ui component for react

23
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

benjycuiyesmeckafc163paranoidjkzombiejpicodothmadccc

Keywords

reactreact-componentreact-tabs

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/umi.3bf3bfb4.js AI (source-diff): This is a standard dumi/UMI documentation site webpack bundle. Minification is expected; no malicious content present. ai
source-diff obfuscated-file:dist/docs__index.md.5a678285.async.js AI (source-diff): Standard webpack async chunk containing rc-tabs documentation markdown rendered as React. No malicious content. ai
source-diff obfuscated-file:dist/demos.11f92399.async.js AI (source-diff): Standard webpack async chunk containing rc-tabs demo components for documentation site. No malicious content. ai
source-diff obfuscated-file:dist/76.77709ec5.async.js AI (source-diff): Standard webpack async chunk from dumi documentation build. Contains Redux and invariant utilities, no malicious content. ai
source-diff obfuscated-file:dist/548.62d105c5.async.js AI (source-diff): Standard webpack async chunk from dumi documentation build. Contains React component API table code, no malicious content. ai
source-diff obfuscated-file:dist/242.7c148438.async.js AI (source-diff): Standard webpack async chunk from dumi documentation build. Minified React/SVG component code, no malicious content. ai
source-diff net-exec-file:dist/umi.3bf3bfb4.js AI (source-diff): Network+exec pattern is triggered by normal browser-side webpack module loading in the dumi documentation bundle, not dropper/loader malware. ai
dependencies unvetted-dep:react-hammerjs AI (dependencies): react-hammerjs is a legitimate React wrapper for Hammer.js touch gestures; appropriate dependency for a tabs UI component with swipe support. ai
dependencies unvetted-dep:create-react-context AI (dependencies): create-react-context is a well-known React Context API polyfill used by many major libraries; its use here is legitimate for supporting older React versions. ai
dependencies unvetted-dep:rc-hammerjs AI (dependencies): rc-hammerjs is part of the rc-* ecosystem and pinned to ~0.6.0; stable dependency for this package. ai
source-diff net-exec-file:dist/rc-tabs.js AI (source-diff): Webpack UMD bundle is a legitimate build artifact for React component distribution; webpack's module system is not malicious code. ai
source-diff net-exec-file:dist/rc-tabs.min.js AI (source-diff): Minified webpack bundle is expected for production distribution; no malicious payload detected in sample. ai
dependencies unvetted-dep:rc-css-transition-group AI (dependencies): rc-css-transition-group is a react-component ecosystem package consistent with rc-tabs' purpose; same maintainer lineage, no malicious signals. ai
dependencies unvetted-dep:browserify-shim AI (dependencies): Build-time browserify transform; not a runtime dependency affecting end users. ai
dependencies unvetted-dep:browserify-jsx AI (dependencies): Build-time browserify transform; not a runtime dependency affecting end users. ai
provenance publisher-changed AI (provenance): Publisher change in 2018 reflects legitimate maintainer transition; stable for 6+ years. ai
source-diff source-size-tripled AI (source-diff): Size increase reflects addition of dist/ bundles (normal for component library releases), not injected payload. ai
publish-pattern new-deps-added AI (publish-pattern): lodash is an established, widely-trusted utility library; legitimate addition for a mature component library. ai
maintainer-change maintainer-removed AI (maintainer-change): dxq613 removal is consistent with Ant Design org restructuring; new team is established and trusted. ai
maintainer-change maintainer-added AI (maintainer-change): Maintainer transition occurred in 2018 and is well-established; no compromise indicators. ai
source-diff large-new-source-files AI (source-diff): 27 new files consistent with component library expansion; no obfuscation or malicious patterns detected. ai
maintainer-change maintainer-takeover AI (maintainer-change): Complete maintainer transition in 2017 on established package; 7+ years of stable history post-transition validates legitimacy. ai
phantom-deps phantom-dep:browserify-jsx AI (phantom-deps): browserify-jsx is used as a browserify transform configured in package.json's browserify.transform field, not imported directly in JS. This is the correct usage pattern for browserify transforms. ai
phantom-deps phantom-dep:browserify-shim AI (phantom-deps): browserify-shim is used as a browserify transform/shim configured in package.json, not imported directly. This is the correct usage pattern for browserify-shim. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in gulpfile.js for build tasks (linting, git tagging); standard development tooling, not in published code. ai
semgrep semgrep:child-process-exec AI (semgrep): exec() in gulpfile.js for git tagging during publish; standard build workflow, not in distributed package. ai
dependencies unvetted-dep:rc-menu AI (dependencies): rc-menu is a well-known react-component ecosystem package; stable dependency for rc-tabs across all versions. ai
provenance no-provenance AI (provenance): Provenance attestation is not yet standard practice in npm ecosystem; absence is not a security concern for this established package. ai
dependencies unvetted-dep:rc-resize-observer AI (dependencies): rc-resize-observer is a standard utility in the react-component ecosystem; stable dependency for rc-tabs. ai
dependencies unvetted-dep:rc-dropdown AI (dependencies): rc-dropdown is a well-known react-component ecosystem package; stable dependency for rc-tabs. ai
dependencies unvetted-dep:rc-motion AI (dependencies): rc-motion is a standard animation package in the react-component ecosystem; stable dependency for rc-tabs. ai
dependencies unvetted-dep:rc-util AI (dependencies): rc-util is a core utility package in the react-component/Ant Design ecosystem; stable dependency for rc-tabs. ai

Versions (showing 23 of 223)

Version Deps Published
5.3.3 1 / 5
5.3.2 1 / 5
5.3.1 1 / 5
5.3.0 1 / 5
5.2.0 1 / 5
5.1.0 1 / 5
5.0.5 1 / 5
5.0.4 1 / 5
5.0.3 1 / 5
5.0.2 1 / 5
5.0.1 1 / 5
5.0.0 1 / 5
4.0.0 0 / 5
3.3.0 0 / 5
3.2.0 0 / 5
3.1.0 0 / 5
3.0.0 0 / 11
2.0.4 1 / 11
2.0.3 0 / 11
2.0.2 2 / 8
2.0.1 2 / 8
2.0.0 2 / 8
1.0.0 2 / 28

v5.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.