← Home

react-popper-tooltip

npm Repository

React tooltip library built around react-popper

56
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

denisborovikovmohsinulhaq

Keywords

reacttooltippopoveroverlayreact-tooltipreact-popper

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): Addition of @popperjs/core is expected for react-popper-tooltip v3 which migrated to Popper.js v2; this is a legitimate, well-known dependency. ai
provenance missing-githead AI (provenance): Established package with clean publish history; missing gitHead is a minor CI environment change, not a security signal for this well-known library. ai
provenance no-provenance AI (provenance): Package predates Sigstore provenance requirements; no provenance attestation is expected for this older package and its publish workflow. ai
source-diff source-size-tripled AI (source-diff): Size increase is a 948KB TypeScript declaration file (.d.ts), not executable code. Major version rewrite (v3→v4) explains the size jump. ai
install-scripts install-script:postinstall AI (install-scripts): Script is '_postinstall' (underscore-prefixed, not executed by npm) running 'husky install' — standard dev tooling setup, not a consumer-facing install risk. Stable pattern for this package. ai
phantom-deps phantom-dep:@types/react-dom AI (phantom-deps): @types/react-dom is a TypeScript type package; not directly imported in code is expected behavior. Stable false positive for this package. ai
phantom-deps phantom-dep:@types/react AI (phantom-deps): @types/react is a TypeScript type package; not directly imported in code is expected behavior. Stable false positive for this package. ai
dependencies unvetted-dep:@popperjs/core AI (dependencies): @popperjs/core is the canonical Popper.js v2 library and a core dependency of react-popper-tooltip by design; stable false positive for this package. ai

Versions (showing 56 of 56)

Version Deps Published
4.4.2 3 / 35
4.4.1 3 / 35
4.4.0 5 / 33
4.3.1 3 / 34
4.3.0 3 / 35
4.2.0 3 / 35
4.1.2 3 / 35
4.1.1 3 / 34
4.1.0 3 / 34
4.0.1 3 / 34
4.0.0 3 / 34
3.1.1 3 / 29
3.1.0 3 / 29
3.0.0 3 / 29
2.11.1 2 / 29
2.11.0 2 / 29
2.10.1 2 / 29
2.10.0 2 / 33
2.9.1 2 / 32
2.9.0 2 / 32
2.8.3 2 / 32
2.8.2 2 / 32
2.8.1 2 / 30
2.8.0 2 / 34
2.7.4 2 / 34
2.7.3 2 / 34
2.7.2 2 / 36
2.7.0 2 / 28
2.6.3 3 / 26
2.6.1 3 / 26
2.6.0 3 / 26
2.5.1 3 / 26
2.5.0 3 / 26
2.4.0 2 / 12
2.3.4 2 / 7
2.3.3 2 / 7
2.3.2 2 / 7
2.3.1 2 / 7
2.3.0 2 / 7
2.2.1 1 / 8
2.2.0 1 / 8
2.1.1 1 / 8
2.1.0 1 / 8
2.0.1 2 / 6
2.0.0 2 / 6
1.1.1 6 / 6
1.1.0 7 / 5
1.0.9 6 / 5
1.0.8 6 / 5
1.0.7 6 / 5
1.0.6 6 / 5
1.0.5 6 / 5
1.0.4 6 / 5
1.0.3 6 / 5
1.0.2 6 / 5
1.0.1 6 / 5

v4.4.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.0

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: husky install

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

v4.1.2

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

v4.1.1

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: husky install

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.1

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

v4.0.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mohsinulhaq.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.