@ai-sdk/react
32
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
vercel-release-botmatheussmatt.straka
Keywords
aireact
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Vercel migrated from vercel-release-bot to GitHub Actions CI; SLSA attestation confirms legitimacy. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers matheuss and matt.straka are Vercel employees; this is a documented internal transition. Publisher remains vercel-release-bot. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): jaredpalmer's removal reflects a known Vercel org transition; not indicative of takeover given vercel-release-bot remains the publisher. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Apparent dormancy is an artifact of the large version gap (v1.1.8 to v3.0.141) between last approved and current. Package has 850 versions and 5.2M weekly downloads — continuously active. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dep 'ai' is the core Vercel AI SDK package replacing @ai-sdk/ui-utils; a legitimate architectural consolidation within the same trusted org. | ai | |
| provenance | no-provenance | AI (provenance): vercel-release-bot is a well-established publisher with 4383 approved packages; lack of Sigstore provenance is not a meaningful risk signal for this publisher. | ai |
Versions (showing 32 of 332)
| Version | Deps | Published |
|---|---|---|
| 2.0.110 | 4 / 15 | |
| 2.0.109 | 4 / 15 | |
| 2.0.108 | 4 / 15 | |
| 2.0.107 | 4 / 15 | |
| 2.0.106 | 4 / 15 | |
| 2.0.105 | 4 / 15 | |
| 2.0.104 | 4 / 15 | |
| 2.0.103 | 4 / 15 | |
| 2.0.102 | 4 / 15 | |
| 2.0.101 | 4 / 15 | |
| 2.0.100 | 4 / 15 | |
| 2.0.99 | 4 / 15 | |
| 2.0.98 | 4 / 15 | |
| 2.0.97 | 4 / 15 | |
| 2.0.96 | 4 / 15 | |
| 2.0.95 | 4 / 15 | |
| 2.0.94 | 4 / 15 | |
| 2.0.93 | 4 / 15 | |
| 2.0.92 | 4 / 15 | |
| 2.0.91 | 4 / 15 | |
| 2.0.90 | 4 / 15 | |
| 2.0.89 | 4 / 15 | |
| 2.0.88 | 4 / 15 | |
| 2.0.87 | 4 / 15 | |
| 2.0.86 | 4 / 15 | |
| 2.0.85 | 4 / 15 | |
| 2.0.84 | 4 / 15 | |
| 2.0.83 | 4 / 15 | |
| 2.0.82 | 4 / 15 | |
| 2.0.81 | 4 / 15 | |
| 2.0.80 | 4 / 15 | |
| 1.1.8 | 4 / 15 |
v2.0.97
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.89
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.8
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.