@assistant-ui/react
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | slsa-provenance | AI (provenance): Package has SLSA provenance via Sigstore; strongest supply chain integrity signal, stable for this package going forward. | ai | |
| source-diff | large-new-source-files | AI (source-diff): UI component library for AI chat; adding new source files is expected growth. No large files (≥50KB) flagged, no script or dep changes — consistent with normal feature development. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-dropdown-menu | AI (dependencies): @radix-ui/react-dropdown-menu is a well-known, widely-trusted Radix UI component; entirely appropriate for a React UI component library. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from yonom to GitHub Actions CI/CD, consistent with intentional migration to automated publishing with SLSA provenance attestation. Not a suspicious actor. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by CI/CD-published release with SLSA provenance is consistent with legitimate resumption of development, not account takeover. | ai | |
| phantom-deps | phantom-dep:@standard-schema/spec | AI (phantom-deps): @standard-schema/spec is a legitimate schema spec package used at config/type level; not being directly imported in source is expected for this kind of dependency. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a well-known validation library; phantom-dep finding is benign for a build/config reference. | ai | |
| dependencies | unvetted-dep:radix-ui | AI (dependencies): radix-ui is a well-known React UI primitives library; expected dependency for this UI component package. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): nanoid is a well-known ID generation library; phantom-dep finding is benign for a build/config reference. | ai | |
| dependencies | unvetted-dep:assistant-cloud | AI (dependencies): First-party dependency from the assistant-ui ecosystem, same publisher and GitHub org. | ai | |
| dependencies | unvetted-dep:assistant-stream | AI (dependencies): First-party dependency from the assistant-ui ecosystem, same publisher and GitHub org. | ai | |
| dependencies | unvetted-dep:@assistant-ui/tap | AI (dependencies): First-party scoped package from the assistant-ui org; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@assistant-ui/core | AI (dependencies): First-party scoped package from the assistant-ui org; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@assistant-ui/store | AI (dependencies): First-party scoped package from the assistant-ui org; expected internal dependency. | ai |
Versions (showing 51 of 136)
| Version | Deps | Published |
|---|---|---|
| 0.14.14 | 17 / 10 | |
| 0.14.13 | 17 / 10 | |
| 0.14.12 | 17 / 10 | |
| 0.14.11 | 17 / 10 | |
| 0.14.9 | 17 / 10 | |
| 0.14.8 | 17 / 10 | |
| 0.14.7 | 17 / 10 | |
| 0.14.6 | 17 / 10 | |
| 0.14.0 | 16 / 10 | |
| 0.12.28 | 16 / 10 | |
| 0.12.27 | 16 / 10 | |
| 0.12.26 | 16 / 10 | |
| 0.12.25 | 16 / 10 | |
| 0.12.24 | 16 / 10 | |
| 0.12.23 | 16 / 10 | |
| 0.12.22 | 16 / 10 | |
| 0.12.21 | 16 / 10 | |
| 0.12.20 | 16 / 10 | |
| 0.12.19 | 16 / 10 | |
| 0.12.17 | 16 / 10 | |
| 0.12.16 | 16 / 10 | |
| 0.12.15 | 16 / 10 | |
| 0.12.14 | 16 / 10 | |
| 0.12.12 | 16 / 10 | |
| 0.12.11 | 18 / 10 | |
| 0.12.10 | 17 / 8 | |
| 0.12.9 | 17 / 8 | |
| 0.12.8 | 17 / 8 | |
| 0.12.7 | 17 / 8 | |
| 0.12.6 | 17 / 8 | |
| 0.12.5 | 17 / 8 | |
| 0.12.3 | 17 / 8 | |
| 0.12.1 | 17 / 8 | |
| 0.12.0 | 17 / 8 | |
| 0.11.58 | 16 / 8 | |
| 0.11.57 | 16 / 8 | |
| 0.11.56 | 16 / 8 | |
| 0.11.55 | 16 / 8 | |
| 0.11.54 | 16 / 8 | |
| 0.11.53 | 15 / 8 | |
| 0.11.52 | 16 / 7 | |
| 0.11.51 | 16 / 7 | |
| 0.11.50 | 16 / 7 | |
| 0.11.49 | 16 / 7 | |
| 0.11.48 | 16 / 7 | |
| 0.11.47 | 16 / 7 | |
| 0.11.46 | 16 / 9 | |
| 0.11.45 | 16 / 9 | |
| 0.11.44 | 16 / 9 | |
| 0.11.43 | 17 / 9 | |
| 0.11.41 | 17 / 9 |
v0.14.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.20
2 findingsThis version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.19
2 findingsThis version was published by a different npm account than previous versions on 2026-03-17. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.17
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.16
2 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.15
2 findingsThis version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.14
2 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.12
2 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.7
2 findingsThis version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.58
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.57
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.56
2 findingsThis version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.55
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.54
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.53
2 findingsThis version was published by a different npm account than previous versions on 2025-12-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.52
2 findingsThis version was published by a different npm account than previous versions on 2025-12-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.51
2 findingsThis version was published by a different npm account than previous versions on 2025-12-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.50
2 findingsThis version was published by a different npm account than previous versions on 2025-12-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.49
2 findingsThis version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.48
2 findingsThis version was published by a different npm account than previous versions on 2025-12-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.47
2 findingsThis version was published by a different npm account than previous versions on 2025-11-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.46
2 findingsThis version was published by a different npm account than previous versions on 2025-11-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.45
2 findingsThis version was published by a different npm account than previous versions on 2025-11-27. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.44
2 findingsThis version was published by a different npm account than previous versions on 2025-11-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.43
2 findingsThis version was published by a different npm account than previous versions on 2025-11-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.