← Home

@atlaskit/anonymous-assets

npm Repository Homepage
7
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

atlassianartifactteam

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Provenance attestation is not yet standard practice on npm; absence is not a security signal for this established publisher. ai
dependencies unvetted-dep:react-intl-next AI (dependencies): react-intl-next is a standard Atlassian ecosystem alias for react-intl (npm:react-intl@^5.18.1); this pattern is used consistently across @atlaskit packages. ai
phantom-deps phantom-dep:@atlaskit/primitives AI (phantom-deps): Same org scope; consumed at build time via Atlassian's compiled CSS toolchain. Expected pattern for @atlaskit packages. ai
phantom-deps phantom-dep:@atlaskit/afm-i18n-platform-elements-anonymous-assets AI (phantom-deps): Internal Atlassian i18n dependency in same org; phantom detection is a false positive for monorepo build patterns. ai
phantom-deps phantom-dep:@atlaskit/css AI (phantom-deps): Build-time compiled dependency in Atlassian monorepo; not directly imported in source but consumed via @compiled/react toolchain. Stable pattern for this package. ai
bogus-package bogus-package AI (bogus-package): Internal Atlassian UI component package from a large monorepo; sparse README and no keywords are expected for internal utility packages. ai
phantom-deps phantom-dep:@compiled/react AI (phantom-deps): Referenced in config files as the CSS-in-JS compiler; not directly imported in source by design. Standard Atlassian frontend toolchain pattern. ai
phantom-deps phantom-dep:@atlaskit/tokens AI (phantom-deps): Same org scope; consumed at build time via Atlassian's compiled CSS toolchain. Expected pattern for @atlaskit packages. ai

Versions (showing 7 of 7)

Version Deps Published
1.1.1 7 / 7
1.1.0 7 / 6
1.0.0 7 / 6
0.0.20 8 / 5
0.0.19 8 / 5
0.0.18 8 / 5
0.0.12 8 / 5

v1.1.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.20

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.19

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.18

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.