rc-tree
tree ui component for react
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
benjycuiyesmeckafc163yiminghewarmhugvalleykidparanoidjkzombiej07akionichenshuai2144madccc
Keywords
reactreact-componentreact-treetree
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/docs__changelog.md.8c473e4c.async.js | AI (source-diff): Dumi-generated changelog documentation bundle; filename and content confirm it is a documentation artifact. | ai | |
| source-diff | net-exec-file:dist/umi.8e6eb0fb.js | AI (source-diff): False positive on dumi documentation bundle; network calls and dynamic execution are part of the documentation site framework, not dropper malware. | ai | |
| source-diff | obfuscated-file:dist/umi.8e6eb0fb.js | AI (source-diff): Main dumi documentation site bundle; umi is the underlying framework for dumi, listed in devDependencies. Not a malicious payload. | ai | |
| source-diff | obfuscated-file:dist/docs__index.md.5b5294b4.async.js | AI (source-diff): Dumi-generated index documentation bundle; filename and content confirm it is a documentation artifact. | ai | |
| source-diff | obfuscated-file:dist/163.a6ff75d0.async.js | AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains recognizable React/rc-tree UI code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/268.0293213a.async.js | AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains tree node rendering and drag-drop logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/318.34673772.async.js | AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains scroll-lock utility code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/671.c4a5fc0b.async.js | AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains key code constants and React utilities, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/972.b88d23ad.async.js | AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains SVG icon and tree demo code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/demos.6080cc4f.async.js | AI (source-diff): Dumi demo bundle with tree data generation utilities; clearly legitimate documentation artifact. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by addition of dist/ UMD bundles (rc-tree.js + rc-tree.min.js) not present in prior approved version. Legitimate build artifact addition. | ai | |
| source-diff | net-exec-file:dist/rc-tree.js | AI (source-diff): Standard webpack UMD bundle; 'network calls' are require('react')/require('react-dom') imports, 'code execution' is webpack's module loader pattern. No actual network I/O or shell execution. | ai | |
| source-diff | net-exec-file:dist/rc-tree.min.js | AI (source-diff): Minified webpack UMD bundle — same pattern as rc-tree.js. False positive; no malicious network or exec behavior present. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change warmhug→yiminghe occurred in 2015 and reflects a legitimate maintainer transition within the react-component org. yiminghe is a well-known contributor; no compromise indicators. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): rc-animate and object-assign are legitimate, well-known packages from the same react-component ecosystem and a standard polyfill respectively. No malicious signal. | ai | |
| dependencies | unvetted-dep:rc-motion | AI (dependencies): rc-motion is a canonical react-component org animation package, same publisher ecosystem as rc-tree. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:rc-util | AI (dependencies): rc-util is a canonical react-component org utility package, same publisher ecosystem as rc-tree. Stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package (3982 days old, 316 versions) from a trusted publisher; lack of provenance is expected for packages predating Sigstore adoption. | ai | |
| dependencies | unvetted-dep:rc-virtual-list | AI (dependencies): rc-virtual-list is a canonical react-component org virtualization package, same publisher ecosystem as rc-tree. Stable false positive for this package. | ai |
Versions (showing 51 of 266)
| Version | Deps | Published |
|---|---|---|
| 5.13.1 | 5 / 28 | |
| 5.13.0 | 5 / 28 | |
| 5.12.4 | 5 / 28 | |
| 5.12.3 | 5 / 28 | |
| 5.12.2 | 5 / 28 | |
| 5.12.1 | 5 / 28 | |
| 5.12.0 | 5 / 28 | |
| 5.11.0 | 5 / 28 | |
| 5.10.1 | 5 / 28 | |
| 5.10.0 | 5 / 28 | |
| 5.9.0 | 5 / 24 | |
| 5.8.8 | 5 / 24 | |
| 5.8.7 | 5 / 24 | |
| 5.8.6 | 5 / 24 | |
| 5.8.5 | 5 / 24 | |
| 5.8.3 | 5 / 23 | |
| 5.8.2 | 5 / 23 | |
| 5.8.1 | 5 / 23 | |
| 5.8.0 | 5 / 23 | |
| 5.7.12 | 5 / 23 | |
| 5.7.11 | 5 / 23 | |
| 5.7.10 | 5 / 23 | |
| 5.7.9 | 5 / 23 | |
| 5.7.8 | 5 / 23 | |
| 5.7.6 | 5 / 23 | |
| 5.7.5 | 5 / 23 | |
| 5.7.4 | 5 / 23 | |
| 5.7.3 | 5 / 23 | |
| 5.7.2 | 5 / 23 | |
| 5.7.1 | 5 / 23 | |
| 5.7.0 | 5 / 23 | |
| 5.6.9 | 5 / 23 | |
| 5.6.8 | 5 / 23 | |
| 5.6.7 | 5 / 23 | |
| 5.6.6 | 5 / 23 | |
| 5.6.5 | 5 / 23 | |
| 5.6.4 | 5 / 23 | |
| 5.6.3 | 5 / 23 | |
| 5.6.2 | 5 / 23 | |
| 5.6.1 | 5 / 21 | |
| 5.6.0 | 5 / 21 | |
| 5.5.0 | 5 / 21 | |
| 5.4.4 | 5 / 21 | |
| 5.4.3 | 5 / 21 | |
| 5.4.2 | 5 / 21 | |
| 5.4.1 | 5 / 21 | |
| 5.4.0 | 5 / 21 | |
| 5.3.8 | 5 / 21 | |
| 5.3.7 | 5 / 21 | |
| 5.3.6 | 5 / 21 | |
| 5.3.5 | 5 / 21 |