← Home

react-jsonschema-form

npm Repository Homepage
1
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ametaireauedi9999epicfaaceglassercleplatremmagopiann1k0natimpeterbe

Keywords

reactformjson-schema

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Publisher change n1k0→glasserc in 2017 reflects a legitimate Mozilla team maintainer transition; glasserc has 52 approved packages and 0 rejected. Stable for this package. ai
source-diff obfuscated-file:dist/editor.worker.js AI (source-diff): Monaco Editor webpack worker bundle — standard minified webpack IIFE output with accompanying source map. Not obfuscation; legitimate build artifact for this package. ai
source-diff obfuscated-file:dist/json.worker.js AI (source-diff): Monaco Editor JSON language worker bundle — standard minified webpack IIFE output with accompanying source map. Not obfuscation; legitimate build artifact for this package. ai
source-diff net-exec-file:dist/json.worker.js AI (source-diff): Monaco JSON worker uses web worker messaging and dynamic module loading by design. Pattern matches are false positives for this well-known language server worker bundle. ai
publish-pattern new-deps-added AI (publish-pattern): core-js and babel-runtime are canonical Babel ecosystem polyfill/runtime packages; their addition is a standard build practice for this type of library, not a supply chain risk. ai

Versions (showing 1 of 101)

Version Deps Published
0.1.0 1 / 13

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.