react-slick
React port of slick carousel
51
Versions
MIT
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
akiran
Keywords
slickcarouselImage sliderorbitsliderreact-component
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by the prepublish build step (Babel transpile + Gulp dist bundle producing lib/ and dist/ artifacts). Expected for this package's build process. | ai | |
| source-diff | large-new-source-files | AI (source-diff): react-slick is a mature, well-maintained carousel library; large file additions are consistent with feature releases and refactoring, not code injection. | ai | |
| phantom-deps | phantom-dep:@testing-library/user-event | AI (phantom-deps): @testing-library/user-event is a well-known testing utility accidentally placed in runtime deps; not imported in runtime code, no security concern. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is uncommon (~12% of npm); not a disqualifier for established packages with strong track records. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies (enquire.js, can-use-dom, create-react-class, opencollective) are all established packages; no attack vector present. | ai | |
| phantom-deps | phantom-dep:opencollective | AI (phantom-deps): opencollective is invoked via postinstall script, not imported in source — this is the expected usage pattern for opencollective integration. | ai | |
| dependencies | unvetted-dep:opencollective | AI (dependencies): opencollective is a well-established, legitimate funding/donation package. Appropriate for this use case. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in vendored bower_components (jquery); not in package source, reflects legitimate utility library patterns. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is in bundled bower_components/should.js, not react-slick source; transitive dependency artifact. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs 'opencollective postinstall', a well-known benign funding message pattern used by many OSS projects. Stable for this package. | ai | |
| phantom-deps | phantom-dep:slick-carousel | AI (phantom-deps): slick-carousel is a legitimate peer/config dependency for this carousel component; already marked accepted risk. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() usage is in bundled tether documentation, not react-slick source; transitive dependency artifact. | ai | |
| dependencies | unvetted-dep:json2mq | AI (dependencies): json2mq is a small, stable utility that has been a react-slick dependency for years; no security concerns. | ai | |
| dependencies | unvetted-dep:resize-observer-polyfill | AI (dependencies): resize-observer-polyfill is a well-known browser polyfill; long-standing dependency in react-slick with no security concerns. | ai | |
| dependencies | unvetted-dep:lodash.debounce | AI (dependencies): lodash.debounce is a well-known, widely-used utility from the lodash project; stable dependency for this package. | ai |
Versions (showing 51 of 104)
| Version | Deps | Published |
|---|---|---|
| 0.31.0 | 4 / 49 | |
| 0.30.3 | 5 / 46 | |
| 0.30.2 | 5 / 46 | |
| 0.30.1 | 6 / 44 | |
| 0.29.0 | 5 / 46 | |
| 0.28.1 | 5 / 50 | |
| 0.28.0 | 5 / 50 | |
| 0.27.14 | 5 / 50 | |
| 0.27.13 | 5 / 50 | |
| 0.27.12 | 5 / 50 | |
| 0.27.11 | 5 / 50 | |
| 0.27.10 | 5 / 50 | |
| 0.27.9 | 5 / 50 | |
| 0.27.8 | 5 / 50 | |
| 0.27.7 | 5 / 50 | |
| 0.27.6 | 5 / 50 | |
| 0.27.5 | 5 / 50 | |
| 0.27.4 | 5 / 50 | |
| 0.27.3 | 5 / 50 | |
| 0.27.2 | 5 / 50 | |
| 0.27.1 | 5 / 50 | |
| 0.27.0 | 5 / 50 | |
| 0.26.1 | 5 / 50 | |
| 0.26.0 | 5 / 50 | |
| 0.25.2 | 5 / 50 | |
| 0.25.1 | 5 / 50 | |
| 0.25.0 | 5 / 50 | |
| 0.24.0 | 5 / 50 | |
| 0.23.2 | 6 / 47 | |
| 0.23.1 | 5 / 47 | |
| 0.23.0 | 5 / 47 | |
| 0.22.3 | 6 / 43 | |
| 0.22.2 | 6 / 43 | |
| 0.22.1 | 6 / 43 | |
| 0.22.0 | 6 / 43 | |
| 0.21.0 | 6 / 43 | |
| 0.20.0 | 6 / 43 | |
| 0.19.0 | 6 / 42 | |
| 0.18.1 | 6 / 42 | |
| 0.17.1 | 7 / 42 | |
| 0.16.0 | 7 / 39 | |
| 0.15.4 | 7 / 37 | |
| 0.15.3 | 7 / 37 | |
| 0.15.2 | 7 / 37 | |
| 0.15.1 | 7 / 37 | |
| 0.15.0 | 7 / 37 | |
| 0.14.11 | 7 / 37 | |
| 0.14.10 | 6 / 36 | |
| 0.14.9 | 5 / 37 | |
| 0.14.8 | 8 / 36 | |
| 0.14.7 | 5 / 36 |