← Home

rc-tree

npm Repository Homepage

tree ui component for react

100
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

benjycuiyesmeckafc163yiminghewarmhugvalleykidparanoidjkzombiej07akionichenshuai2144madccc

Keywords

reactreact-componentreact-treetree

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/docs__changelog.md.8c473e4c.async.js AI (source-diff): Dumi-generated changelog documentation bundle; filename and content confirm it is a documentation artifact. ai
source-diff net-exec-file:dist/umi.8e6eb0fb.js AI (source-diff): False positive on dumi documentation bundle; network calls and dynamic execution are part of the documentation site framework, not dropper malware. ai
source-diff obfuscated-file:dist/umi.8e6eb0fb.js AI (source-diff): Main dumi documentation site bundle; umi is the underlying framework for dumi, listed in devDependencies. Not a malicious payload. ai
source-diff obfuscated-file:dist/docs__index.md.5b5294b4.async.js AI (source-diff): Dumi-generated index documentation bundle; filename and content confirm it is a documentation artifact. ai
source-diff obfuscated-file:dist/163.a6ff75d0.async.js AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains recognizable React/rc-tree UI code, not malicious obfuscation. ai
source-diff obfuscated-file:dist/268.0293213a.async.js AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains tree node rendering and drag-drop logic, not malicious obfuscation. ai
source-diff obfuscated-file:dist/318.34673772.async.js AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains scroll-lock utility code, not malicious obfuscation. ai
source-diff obfuscated-file:dist/671.c4a5fc0b.async.js AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains key code constants and React utilities, not malicious obfuscation. ai
source-diff obfuscated-file:dist/972.b88d23ad.async.js AI (source-diff): Standard webpack minified chunk from dumi documentation build; contains SVG icon and tree demo code, not malicious obfuscation. ai
source-diff obfuscated-file:dist/demos.6080cc4f.async.js AI (source-diff): Dumi demo bundle with tree data generation utilities; clearly legitimate documentation artifact. ai
source-diff source-size-tripled AI (source-diff): Size increase explained by addition of dist/ UMD bundles (rc-tree.js + rc-tree.min.js) not present in prior approved version. Legitimate build artifact addition. ai
source-diff net-exec-file:dist/rc-tree.js AI (source-diff): Standard webpack UMD bundle; 'network calls' are require('react')/require('react-dom') imports, 'code execution' is webpack's module loader pattern. No actual network I/O or shell execution. ai
source-diff net-exec-file:dist/rc-tree.min.js AI (source-diff): Minified webpack UMD bundle — same pattern as rc-tree.js. False positive; no malicious network or exec behavior present. ai
provenance publisher-changed AI (provenance): Publisher change warmhug→yiminghe occurred in 2015 and reflects a legitimate maintainer transition within the react-component org. yiminghe is a well-known contributor; no compromise indicators. ai
publish-pattern new-deps-added AI (publish-pattern): rc-animate and object-assign are legitimate, well-known packages from the same react-component ecosystem and a standard polyfill respectively. No malicious signal. ai
dependencies unvetted-dep:rc-motion AI (dependencies): rc-motion is a canonical react-component org animation package, same publisher ecosystem as rc-tree. Stable false positive for this package. ai
dependencies unvetted-dep:rc-util AI (dependencies): rc-util is a canonical react-component org utility package, same publisher ecosystem as rc-tree. Stable false positive for this package. ai
provenance no-provenance AI (provenance): Established package (3982 days old, 316 versions) from a trusted publisher; lack of provenance is expected for packages predating Sigstore adoption. ai
dependencies unvetted-dep:rc-virtual-list AI (dependencies): rc-virtual-list is a canonical react-component org virtualization package, same publisher ecosystem as rc-tree. Stable false positive for this package. ai

Versions (showing 100 of 266)

Version Deps Published
5.13.1 5 / 28
5.13.0 5 / 28
5.12.4 5 / 28
5.12.3 5 / 28
5.12.2 5 / 28
5.12.1 5 / 28
5.12.0 5 / 28
5.11.0 5 / 28
5.10.1 5 / 28
5.10.0 5 / 28
5.9.0 5 / 24
5.8.8 5 / 24
5.8.7 5 / 24
5.8.6 5 / 24
5.8.5 5 / 24
5.8.3 5 / 23
5.8.2 5 / 23
5.8.1 5 / 23
5.8.0 5 / 23
5.7.12 5 / 23
5.7.11 5 / 23
5.7.10 5 / 23
5.7.9 5 / 23
5.7.8 5 / 23
5.7.6 5 / 23
5.7.5 5 / 23
5.7.4 5 / 23
5.7.3 5 / 23
5.7.2 5 / 23
5.7.1 5 / 23
5.7.0 5 / 23
5.6.9 5 / 23
5.6.8 5 / 23
5.6.7 5 / 23
5.6.6 5 / 23
5.6.5 5 / 23
5.6.4 5 / 23
5.6.3 5 / 23
5.6.2 5 / 23
5.6.1 5 / 21
5.6.0 5 / 21
5.5.0 5 / 21
5.4.4 5 / 21
5.4.3 5 / 21
5.4.2 5 / 21
5.4.1 5 / 21
5.4.0 5 / 21
5.3.8 5 / 21
5.3.7 5 / 21
5.3.6 5 / 21
5.3.5 5 / 21
5.3.4 5 / 21
5.3.3 5 / 21
5.3.2 5 / 21
5.3.1 5 / 21
5.3.0 5 / 21
5.2.2 5 / 21
5.2.1 5 / 21
5.2.0 5 / 21
5.1.0 5 / 21
5.0.5 5 / 21
5.0.4 5 / 21
5.0.3 5 / 21
5.0.2 5 / 21
5.0.1 5 / 21
5.0.0 5 / 21
4.2.2 5 / 20
4.2.1 5 / 20
4.2.0 5 / 20
4.1.5 5 / 21
4.1.4 5 / 21
4.1.3 5 / 21
4.1.2 5 / 21
4.1.1 5 / 19
4.1.0 5 / 19
4.0.0 5 / 19
3.11.0 5 / 19
3.10.0 5 / 19
3.9.5 5 / 19
3.9.4 5 / 19
3.9.3 5 / 19
3.9.2 5 / 19
3.9.1 5 / 19
3.9.0 5 / 19
3.8.5 5 / 19
3.8.4 5 / 19
3.8.3 5 / 19
3.8.2 5 / 19
3.8.1 5 / 19
3.8.0 5 / 19
3.7.0 5 / 19
3.6.0 5 / 19
3.5.0 5 / 18
3.4.0 5 / 18
3.3.1 5 / 18
3.3.0 5 / 18
3.2.2 4 / 18
3.2.1 4 / 18
3.2.0 4 / 18
3.1.10 6 / 17
Showing 100 of 266 Next page →