@alfalab/core-components

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

siebensiebenheymdalligor-alfa-testpraiz90dmitryshkindercore-ds-botqrik116sashabullsklartell4mea.shatokhinthediamonddogefulcanelleehextionbradobreyu

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New dep is a first-party sibling package in the same @alfalab/core-components-* namespace; not a supply-chain risk.	ai	2026/06/02
dependencies	unvetted-dep:@alfalab/core-components-text	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-vars	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-space	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-status	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-divider	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-collapse	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-dropzone	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-underlay	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-grid	AI (dependencies): Sibling monorepo package from same org; stable false positive for this umbrella package.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-global-store	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-generic-wrapper	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-segmented-control	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-hatching-progress-bar	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-peer-dep:@alfalab/core-components-config	AI (dependencies): Sibling monorepo peer dep from same org; stable false positive.	ai	2026/05/26
dependencies	unvetted-peer-dep:@alfalab/core-components-stack-context	AI (dependencies): Sibling monorepo peer dep from same org; stable false positive.	ai	2026/05/26
source-diff	large-new-source-files	AI (source-diff): Umbrella package aggregating many sibling components; large file counts are expected on version bumps.	ai	2026/05/26
dependencies	unvetted-dep:@alfalab/core-components-card-image	AI (dependencies): Sibling monorepo package from same org; stable false positive.	ai	2026/05/26