@alveole/components
Shared UI components.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): New files are PDF.js build artifacts; size increase is expected and benign. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by addition of PDF.js dist files; not an injected payload. | ai | |
| source-diff | net-exec-file:dist/pdfjs/pdf.min.mjs | AI (source-diff): Official Mozilla PDF.js minified bundle; network+exec pattern is inherent to PDF rendering, not malware. | ai | |
| source-diff | net-exec-file:dist/pdfjs/pdf.worker.min.mjs | AI (source-diff): Official Mozilla PDF.js worker bundle; same rationale as pdf.min.mjs. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs a bundled .mjs script for PDF.js asset preparation; consistent with package's documented build workflow. | ai |
Versions (showing 51 of 85)
| Version | Deps | Published |
|---|---|---|
| 0.36.2 | 1 / 18 | |
| 0.36.1 | 1 / 18 | |
| 0.36.0 | 1 / 18 | |
| 0.35.0 | 1 / 2 | |
| 0.34.9 | 1 / 2 | |
| 0.34.8 | 1 / 2 | |
| 0.34.7 | 1 / 2 | |
| 0.34.6 | 1 / 2 | |
| 0.34.4 | 1 / 2 | |
| 0.34.2 | 1 / 2 | |
| 0.34.1 | 1 / 2 | |
| 0.34.0 | 1 / 2 | |
| 0.33.1 | 1 / 2 | |
| 0.33.0 | 1 / 2 | |
| 0.32.2 | 1 / 2 | |
| 0.32.1 | 1 / 2 | |
| 0.32.0 | 1 / 2 | |
| 0.31.4 | 1 / 2 | |
| 0.31.3 | 1 / 2 | |
| 0.31.1 | 1 / 2 | |
| 0.31.0 | 1 / 2 | |
| 0.30.4 | 1 / 2 | |
| 0.30.2 | 1 / 2 | |
| 0.30.1 | 1 / 2 | |
| 0.30.0 | 1 / 2 | |
| 0.29.4 | 1 / 2 | |
| 0.29.3 | 1 / 2 | |
| 0.29.2 | 1 / 2 | |
| 0.29.1 | 1 / 2 | |
| 0.29.0 | 1 / 2 | |
| 0.28.0 | 1 / 2 | |
| 0.27.0 | 1 / 2 | |
| 0.26.0 | 1 / 2 | |
| 0.24.1 | 1 / 2 | |
| 0.24.0 | 1 / 2 | |
| 0.23.4 | 1 / 2 | |
| 0.23.3 | 1 / 2 | |
| 0.23.2 | 1 / 2 | |
| 0.23.1 | 1 / 2 | |
| 0.23.0 | 1 / 2 | |
| 0.22.1 | 1 / 2 | |
| 0.22.0 | 1 / 2 | |
| 0.21.0 | 1 / 2 | |
| 0.20.0 | 1 / 2 | |
| 0.19.3 | 1 / 2 | |
| 0.19.2 | 1 / 2 | |
| 0.19.1 | 1 / 2 | |
| 0.19.0 | 1 / 2 | |
| 0.18.6 | 1 / 2 | |
| 0.18.5 | 1 / 2 | |
| 0.18.4 | 1 / 2 |
v0.36.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.35.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.