rc-trigger
base abstract trigger component for react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by React 15.5 migration adding babel-runtime, create-react-class, and prop-types deps plus compiled ES/lib output; no injected payload indicators. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): afc163 and benjycui are known ant-design/react-component ecosystem contributors; addition is a legitimate team expansion for this org-owned package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (rc-align, rc-animate, rc-util) are sibling react-component packages from the same maintainer ecosystem; natural evolution for this trigger component. | ai | |
| dependencies | unvetted-dep:rc-animate | AI (dependencies): rc-animate is a sibling package in the react-component ecosystem maintained by the same team; standard dependency for rc-trigger across all versions. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): rc-trigger is a 10+ year old established React component with 154 versions; 0.0.0 is a historical bootstrap version, not a malicious throwaway package. | ai | |
| dependencies | unvetted-dep:rc-motion | AI (dependencies): rc-motion is a sibling react-component ecosystem package for animations. Stable dependency for this package. | ai | |
| dependencies | unvetted-dep:rc-align | AI (dependencies): rc-align is a sibling react-component ecosystem package used for positioning. Stable dependency for this package. | ai | |
| dependencies | unvetted-dep:rc-util | AI (dependencies): rc-util is a sibling react-component ecosystem package, consistently used across rc-* libraries. Stable dependency for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): afc163/yiminghe/benjycui are legitimate Ant Design / react-component ecosystem maintainers; spam flag is a false positive for this well-established package family. | ai | |
| provenance | publisher-changed | AI (provenance): The zombiej → afc163 transition in 2021 is a documented, legitimate handoff within the react-component org. No compromise indicators. | ai | |
| provenance | no-provenance | AI (provenance): rc-trigger is a long-established package from the react-component org; lack of Sigstore provenance is common and not a meaningful risk signal here. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 5.3.3 | 5 / 18 | |
| 5.3.2 | 5 / 18 | |
| 5.3.1 | 5 / 16 | |
| 5.2.19 | 5 / 16 | |
| 5.2.18 | 5 / 16 | |
| 5.2.17 | 5 / 16 | |
| 5.2.16 | 5 / 16 | |
| 5.2.15 | 5 / 18 | |
| 5.2.14 | 5 / 18 | |
| 5.2.13 | 5 / 18 | |
| 5.2.12 | 5 / 18 | |
| 5.2.11 | 5 / 18 | |
| 5.2.10 | 5 / 17 | |
| 5.2.9 | 5 / 17 | |
| 5.2.8 | 5 / 17 | |
| 5.2.7 | 5 / 17 | |
| 5.2.6 | 5 / 17 | |
| 5.2.5 | 5 / 17 | |
| 5.2.4 | 5 / 16 | |
| 5.2.3 | 5 / 16 | |
| 5.2.2 | 5 / 16 | |
| 5.2.1 | 5 / 16 | |
| 5.2.0 | 5 / 16 | |
| 5.1.2 | 5 / 16 | |
| 5.1.1 | 5 / 16 | |
| 5.1.0 | 5 / 16 | |
| 5.0.9 | 5 / 15 | |
| 5.0.8 | 5 / 15 | |
| 5.0.7 | 5 / 15 | |
| 5.0.6 | 5 / 15 | |
| 5.0.5 | 5 / 15 | |
| 5.0.4 | 5 / 15 | |
| 5.0.3 | 5 / 15 | |
| 5.0.2 | 5 / 15 | |
| 5.0.1 | 5 / 15 | |
| 5.0.0 | 5 / 15 | |
| 4.4.3 | 6 / 13 | |
| 4.4.2 | 6 / 13 | |
| 4.4.1 | 6 / 13 | |
| 4.4.0 | 6 / 13 | |
| 1.11.0 | 6 / 9 | |
| 0.1.0 | 3 / 10 | |
| 0.0.0 | 0 / 7 |
v4.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-31. This could indicate a legitimate maintainer transition or an account compromise.
v4.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-28. This could indicate a legitimate maintainer transition or an account compromise.
v4.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-05. This could indicate a legitimate maintainer transition or an account compromise.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.