@ariakit/react — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

diegohazariakit-botbenrodrsdaniguardiola

Keywords

a11yariakitcomponentsreacttoolkitui

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:cjs/__chunks/JBOLBTVU.cjs	AI (source-diff): Standard CJS bundler output (esbuild helpers), not obfuscation. Stable for this package.	ai	2026/06/01
source-diff	large-new-source-files	AI (source-diff): Component library regularly reshuffles CJS chunks across versions.	ai	2026/06/01
source-diff	obfuscated-file:cjs/__chunks/QAUJZR6Y.cjs	AI (source-diff): Standard CJS bundler output (esbuild helpers), not obfuscation; stable for this package.	ai	2026/05/31
provenance	missing-githead	AI (provenance): CI environment change; SLSA provenance present, established package with strong ecosystem trust.	ai	2026/05/29
publish-pattern	dormant-publish	AI (publish-pattern): Long-lived popular package; dormancy is normal for stable UI libraries.	ai	2026/05/29
dependencies	unvetted-dep:@ariakit/react-core	AI (dependencies): Internal monorepo sibling package; stable false positive for this package family.	ai	2026/04/28

Versions (showing 12 of 12)

Version	Deps	Published
0.4.29	1 / 2	2026-05-31
0.4.28	1 / 2	2026-05-23
0.4.27	1 / 2	2026-05-23
0.4.26	1 / 2	2026-04-17
0.4.25	1 / 2	2026-04-08
0.4.24	1 / 2	2026-03-21
0.4.23	1 / 0	2026-03-12
0.4.22	1 / 0	2026-03-04
0.4.21	1 / 0	2026-01-12
0.4.20	1 / 0	2025-11-25
0.4.19	1 / 0	2025-10-04
0.4.18	1 / 0	2025-08-11

v0.4.29

2 findings

HIGH New obfuscated file: cjs/__chunks/JBOLBTVU.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.28

3 findings

HIGH New obfuscated file: cjs/__chunks/QAUJZR6Y.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v0.4.27

3 findings

HIGH New obfuscated file: cjs/__chunks/QAUJZR6Y.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v0.4.26

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.25

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.24

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.23

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.22

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.21

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.20

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.19

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.