react-jsonschema-form
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change n1k0→glasserc in 2017 reflects a legitimate Mozilla team maintainer transition; glasserc has 52 approved packages and 0 rejected. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/editor.worker.js | AI (source-diff): Monaco Editor webpack worker bundle — standard minified webpack IIFE output with accompanying source map. Not obfuscation; legitimate build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/json.worker.js | AI (source-diff): Monaco Editor JSON language worker bundle — standard minified webpack IIFE output with accompanying source map. Not obfuscation; legitimate build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/json.worker.js | AI (source-diff): Monaco JSON worker uses web worker messaging and dynamic module loading by design. Pattern matches are false positives for this well-known language server worker bundle. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): core-js and babel-runtime are canonical Babel ecosystem polyfill/runtime packages; their addition is a standard build practice for this type of library, not a supply chain risk. | ai |
Versions (showing 51 of 101)
| Version | Deps | Published |
|---|---|---|
| 1.8.1 | 8 / 53 | |
| 1.8.0 | 8 / 53 | |
| 1.7.0 | 10 / 50 | |
| 1.6.1 | 6 / 49 | |
| 1.6.0 | 6 / 49 | |
| 1.5.0 | 5 / 49 | |
| 1.4.1 | 5 / 49 | |
| 1.4.0 | 5 / 49 | |
| 1.3.0 | 5 / 49 | |
| 1.2.1 | 5 / 49 | |
| 1.2.0 | 5 / 49 | |
| 1.1.0 | 5 / 49 | |
| 1.0.7 | 5 / 49 | |
| 1.0.6 | 5 / 49 | |
| 1.0.5 | 5 / 48 | |
| 1.0.4 | 5 / 48 | |
| 1.0.3 | 4 / 47 | |
| 1.0.2 | 4 / 47 | |
| 1.0.1 | 4 / 47 | |
| 1.0.0 | 4 / 47 | |
| 0.51.0 | 4 / 42 | |
| 0.50.1 | 4 / 42 | |
| 0.50.0 | 4 / 42 | |
| 0.49.0 | 4 / 42 | |
| 0.48.2 | 4 / 43 | |
| 0.48.1 | 4 / 43 | |
| 0.48.0 | 3 / 44 | |
| 0.47.0 | 3 / 44 | |
| 0.46.0 | 3 / 43 | |
| 0.45.0 | 3 / 43 | |
| 0.44.0 | 3 / 43 | |
| 0.43.0 | 3 / 39 | |
| 0.42.0 | 3 / 39 | |
| 0.41.2 | 3 / 39 | |
| 0.41.1 | 2 / 39 | |
| 0.41.0 | 2 / 39 | |
| 0.40.0 | 2 / 37 | |
| 0.39.0 | 2 / 37 | |
| 0.38.1 | 2 / 37 | |
| 0.38.0 | 2 / 37 | |
| 0.37.0 | 2 / 37 | |
| 0.36.1 | 2 / 37 | |
| 0.36.0 | 2 / 37 | |
| 0.35.1 | 3 / 37 | |
| 0.35.0 | 3 / 37 | |
| 0.34.1 | 3 / 37 | |
| 0.34.0 | 3 / 37 | |
| 0.33.3 | 3 / 37 | |
| 0.33.2 | 3 / 37 | |
| 0.33.1 | 3 / 37 | |
| 0.33.0 | 3 / 37 |
v1.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.51.0
2 findingsThis version was published by a different npm account than previous versions on 2017-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.1
2 findingsThis version was published by a different npm account than previous versions on 2017-09-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.0
2 findingsThis version was published by a different npm account than previous versions on 2017-09-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.49.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.48.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.48.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.48.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.47.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.46.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.45.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.43.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.42.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.41.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.41.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.41.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.39.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.35.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.