react-vis
Data visualization library based on React and d3.
1
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
kenns29shengsemrahszacklkuber-ospo
Keywords
d3reactvisualizationchartes6babel
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): react-vis 0.0.0 is the legitimate initial release of Uber's well-known data visualization library, not a throwaway malicious package. 87k weekly downloads and 3700+ day history confirm legitimacy. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): d3-geo and d3-contour are official D3 packages; adding them to a D3-based visualization library is expected and benign. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers include uber-ospo, consistent with Uber's OSS governance transition. No malicious indicators. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher kenns29 has strong track record (120 approved, 0 rejected, 3+ years). Change aligns with Uber OSS team transition. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of 'uber' account is part of the same organizational transition to uber-ospo and named maintainers. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Transition includes uber-ospo (Uber's OSPO), indicating an organized internal handoff. Publisher kenns29 has 120 approved packages and a 3+ year track record. Legitimate org transition. | ai | |
| phantom-deps | phantom-dep:d3-format | AI (phantom-deps): D3-format is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-sankey | AI (phantom-deps): D3-sankey is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-contour | AI (phantom-deps): D3-contour is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-hierarchy | AI (phantom-deps): D3-hierarchy is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-collection | AI (phantom-deps): D3-collection is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-interpolate | AI (phantom-deps): D3-interpolate is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:deep-equal | AI (phantom-deps): Deep-equal is a declared dependency used indirectly by react-vis; expected pattern for utility libraries. | ai | |
| phantom-deps | phantom-dep:global | AI (phantom-deps): Global is a declared dependency used indirectly by react-vis; expected pattern for polyfill/utility libraries. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): Prop-types is a declared dependency used indirectly by react-vis components; expected pattern for React libraries. | ai | |
| phantom-deps | phantom-dep:react-motion | AI (phantom-deps): React-motion is a declared dependency used indirectly by react-vis; expected pattern for animation libraries. | ai | |
| phantom-deps | phantom-dep:react-test-renderer | AI (phantom-deps): React-test-renderer is a declared dependency used indirectly by react-vis testing; expected pattern for test utilities. | ai | |
| phantom-deps | phantom-dep:d3-voronoi | AI (phantom-deps): D3-voronoi is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-geo | AI (phantom-deps): D3-geo is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-array | AI (phantom-deps): D3-array is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-color | AI (phantom-deps): D3-color is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-scale | AI (phantom-deps): D3-scale is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| phantom-deps | phantom-dep:d3-shape | AI (phantom-deps): D3-shape is a declared dependency used indirectly by react-vis visualization components; expected pattern for data viz library. | ai | |
| provenance | missing-githead | AI (provenance): Established package with 108 versions and clean publisher history; missing gitHead is a process gap, not a security indicator for this package. | ai | |
| provenance | no-provenance | AI (provenance): react-vis predates Sigstore provenance requirements; absence of attestation is expected for this long-running package. | ai | |
| phantom-deps | phantom-dep:hoek | AI (phantom-deps): hoek is explicitly declared as a runtime dependency in package.json at version 4.2.1; the phantom-dep finding is a false positive for this package. | ai | |
| source-diff | encoded-string-file:dist/dist.min.js | AI (source-diff): dist/dist.min.js is the documented browserify+uglifyjs browser bundle output for react-vis. Long encoded strings are standard minified d3/React bundle content, not obfuscation. | ai |
Versions (showing 1 of 101)
| Version | Deps | Published |
|---|---|---|
| 0.0.0 | 5 / 18 |
v0.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.