@atlaskit/editor-common
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): editor-common is a large, actively maintained Atlassian editor library that regularly adds new source files as features expand. 25 new files is consistent with normal development cadence for this package. | ai | |
| phantom-deps | phantom-dep:@sentry/browser | AI (phantom-deps): Config-file reference without direct import is expected in monorepo; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@atlaskit/code | AI (phantom-deps): Monorepo pattern: same-org scope dependency declared at workspace root but not directly imported in this entry point; stable for @atlaskit packages. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Atlassian monorepo package with 109 approved dependents and a trusted publisher account; dormancy gaps are plausible for large enterprise monorepos and no other risk signals are present. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a widely-used, legitimate markdown parsing library. Its use in an Atlassian editor package is expected and benign. | ai | |
| dependencies | unvetted-dep:@popperjs/core | AI (dependencies): @popperjs/core is a well-known, widely-used positioning library. Its use in a UI editor package is expected and benign. | ai | |
| phantom-deps | phantom-dep:@atlaskit/css | AI (phantom-deps): Same org scope (@atlaskit); phantom dep finding is benign for Atlassian's own monorepo packages. | ai | |
| provenance | no-provenance | AI (provenance): Atlassian's atlassianartifactteam has 129 approved packages without provenance; this is a stable publishing pattern for this org. | ai | |
| phantom-deps | phantom-dep:@sentry/integrations | AI (phantom-deps): Referenced in config files only; standard observability tooling pattern, not a real risk. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): prop-types referenced in config files only; standard pattern for React component libraries. Not a real risk for this package. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 115.5.1 | 83 / 18 | |
| 115.5.0 | 83 / 18 | |
| 115.4.0 | 83 / 18 | |
| 115.3.0 | 83 / 18 | |
| 115.2.2 | 83 / 18 | |
| 115.2.1 | 83 / 18 | |
| 115.2.0 | 83 / 18 | |
| 115.1.0 | 83 / 18 | |
| 115.0.3 | 83 / 18 | |
| 115.0.2 | 83 / 18 | |
| 115.0.1 | 83 / 18 | |
| 115.0.0 | 83 / 18 | |
| 114.55.0 | 83 / 18 | |
| 114.54.2 | 83 / 18 | |
| 114.54.1 | 83 / 18 | |
| 114.54.0 | 83 / 18 | |
| 114.53.0 | 83 / 18 | |
| 114.52.0 | 83 / 18 | |
| 114.51.1 | 83 / 18 | |
| 114.51.0 | 83 / 18 | |
| 114.50.3 | 83 / 18 | |
| 114.50.2 | 83 / 18 | |
| 114.50.1 | 83 / 18 | |
| 114.50.0 | 83 / 18 | |
| 114.49.0 | 83 / 18 | |
| 114.48.1 | 83 / 18 | |
| 114.48.0 | 83 / 18 | |
| 114.47.3 | 83 / 18 | |
| 114.47.2 | 83 / 18 | |
| 114.47.1 | 83 / 18 | |
| 114.47.0 | 83 / 18 | |
| 114.46.0 | 83 / 18 | |
| 114.45.0 | 83 / 18 | |
| 114.44.0 | 83 / 18 | |
| 114.33.2 | 83 / 17 | |
| 114.13.2 | 82 / 17 | |
| 114.13.1 | 82 / 17 | |
| 114.10.0 | 82 / 17 | |
| 114.9.0 | 82 / 17 | |
| 114.1.1 | 82 / 16 | |
| 113.0.0 | 82 / 15 | |
| 112.19.1 | 82 / 15 | |
| 112.18.5 | 82 / 15 | |
| 112.8.4 | 84 / 15 | |
| 110.18.6 | 84 / 18 |
v115.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v115.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.55.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.54.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.54.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.54.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.53.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.52.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.51.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.51.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.50.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.50.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.50.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.50.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.49.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.48.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.48.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.47.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.47.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.47.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.44.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.33.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v114.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v113.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v112.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v112.18.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v112.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v110.18.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.