rc-tools
offline tools for react component
51
Versions
MIT
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
paranoidjkyesmeckyiminghe
Keywords
reacttools
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:request | AI (dependencies): request is a well-known HTTP library; deprecated but not malicious. Its use in a build toolchain is benign. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-a11y | AI (phantom-deps): ESLint plugin referenced in toolchain config files — standard pattern, not a security concern. | ai | |
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): ESLint config referenced in toolchain config files — standard pattern, not a security concern. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): ESLint plugin referenced in config files provided by this toolchain package — standard pattern, not a security concern. | ai | |
| phantom-deps | phantom-dep:url-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:less-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:normalize.css | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:babel-preset-env | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:console-polyfill | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:svg-sprite-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:babel-preset-react | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:babel-preset-stage-0 | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-config-airbnb | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:es5-shim | AI (phantom-deps): rc-tools is a build tool that injects config referencing these packages into consumer projects; phantom-dep findings for config-referenced deps are stable false positives for this package. | ai | |
| phantom-deps | phantom-dep:es6-shim | AI (phantom-deps): Same as es5-shim — config-referenced dependency in a build tool, not a security concern. | ai | |
| phantom-deps | phantom-dep:fastclick | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:html5shiv | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:ts-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:es6-promise | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Config-referenced dependency in a build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): rc-tools intentionally declares build tool deps loaded by convention; phantom-dep findings are structural false positives for this package. | ai | |
| phantom-deps | phantom-dep:babel-eslint | AI (phantom-deps): rc-tools intentionally declares build tool deps loaded by convention; phantom-dep findings are structural false positives for this package. | ai | |
| phantom-deps | phantom-dep:prettier | AI (phantom-deps): rc-tools is a build tooling meta-package; phantom deps are config-template references for consuming projects, not security issues. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): rc-tools is a build tooling meta-package; phantom deps are framework-scoped references loaded by convention, not security issues. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from zombiej to chenshuai2144 occurred in 2019 (5+ years ago) within the react-component org. This is a historical, legitimate maintainer transition, not a recent suspicious takeover. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): rc-tools is a build tooling meta-package; phantom deps are config-template references for consuming projects, not security issues. | ai | |
| phantom-deps | phantom-dep:less | AI (phantom-deps): rc-tools is a build tooling meta-package; phantom deps are config-template references for consuming projects, not security issues. | ai | |
| phantom-deps | phantom-dep:babel-core | AI (phantom-deps): rc-tools is a build tooling meta-package; phantom deps are config-template references for consuming projects, not security issues. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load the consuming project's package.json via resolveCwd — standard and expected pattern for a build tool. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process.spawn is used to run build commands (webpack, gulp, etc.) — core functionality of a CLI build tool, not malicious. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): rc-tools postinstall runs 'node lib/init.js' — a local initialization script for a build toolchain, not fetching remote code. Stable pattern across all versions. | ai |
Versions (showing 51 of 275)
| Version | Deps | Published |
|---|---|---|
| 9.6.0 | 114 / 5 | |
| 9.3.9 | 115 / 5 | |
| 9.3.6 | 114 / 5 | |
| 9.3.5 | 114 / 5 | |
| 9.2.0 | 97 / 5 | |
| 9.1.2 | 97 / 5 | |
| 8.1.2 | 81 / 2 | |
| 8.0.1 | 81 / 2 | |
| 8.0.0 | 81 / 2 | |
| 7.0.9 | 76 / 1 | |
| 7.0.8 | 75 / 1 | |
| 7.0.7 | 75 / 1 | |
| 7.0.6 | 75 / 1 | |
| 7.0.5 | 75 / 1 | |
| 7.0.3 | 74 / 1 | |
| 7.0.2 | 74 / 1 | |
| 7.0.0 | 74 / 1 | |
| 6.5.7 | 74 / 1 | |
| 6.5.6 | 74 / 1 | |
| 6.5.5 | 74 / 1 | |
| 6.5.4 | 74 / 1 | |
| 6.5.3 | 76 / 1 | |
| 6.5.2 | 77 / 1 | |
| 6.5.1 | 76 / 1 | |
| 6.5.0 | 76 / 1 | |
| 6.4.1 | 74 / 1 | |
| 6.4.0 | 74 / 1 | |
| 6.3.9 | 74 / 1 | |
| 6.3.8 | 74 / 1 | |
| 6.3.7 | 74 / 1 | |
| 6.3.6 | 74 / 1 | |
| 6.3.5 | 74 / 1 | |
| 6.3.4 | 74 / 1 | |
| 6.3.3 | 70 / 1 | |
| 6.3.2 | 69 / 1 | |
| 6.3.1 | 69 / 1 | |
| 6.3.0 | 69 / 1 | |
| 6.2.2 | 69 / 1 | |
| 6.2.1 | 69 / 1 | |
| 6.2.0 | 67 / 1 | |
| 6.1.8 | 67 / 1 | |
| 6.1.7 | 67 / 1 | |
| 6.1.6 | 67 / 1 | |
| 6.1.5 | 67 / 1 | |
| 6.1.4 | 67 / 1 | |
| 6.1.3 | 67 / 1 | |
| 6.1.2 | 67 / 1 | |
| 6.1.1 | 67 / 1 | |
| 6.1.0 | 66 / 1 | |
| 6.0.5 | 67 / 1 | |
| 6.0.4 | 67 / 1 |
v9.6.0
2 findings
HIGH
Publisher changed: zombiej → chenshuai2144 (on 2019-05-18)
provenance
This version was published by a different npm account than previous versions on 2019-05-18. This could indicate a legitimate maintainer transition or an account compromise.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.9
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.6
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.5
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.2
2 findings
HIGH
Package has 'postinstall' script
install-scripts
Script: node lib/init.js
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.2
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: yesmeck → zombiej (on 2018-07-03)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2018-07-03. This could indicate a legitimate maintainer transition or an account compromise.
v8.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.