@atlaskit/media-ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@atlaskit/legacy-custom-icons | AI (dependencies): Same Atlassian org scope (@atlaskit); this is a first-party dependency expected across all @atlaskit packages and poses no independent risk. | ai | |
| phantom-deps | phantom-dep:@atlaskit/dropdown-menu | AI (phantom-deps): Same-org Atlassian package declared but not directly imported; consistent with Atlaskit's monorepo structure and not a security concern. | ai | |
| provenance | no-provenance | AI (provenance): Atlassian's atlassianartifactteam publisher has 252 approved packages without provenance; this is a stable publishing pattern for this org, not a security concern. | ai | |
| phantom-deps | phantom-dep:@atlaskit/css | AI (phantom-deps): Same-org @atlaskit scoped package declared but not directly imported; minor packaging concern, not a security risk for this well-established Atlassian package. | ai |
Versions (showing 44 of 44)
| Version | Deps | Published |
|---|---|---|
| 29.3.1 | 34 / 21 | |
| 29.3.0 | 34 / 21 | |
| 29.2.5 | 34 / 21 | |
| 29.2.4 | 34 / 21 | |
| 29.2.3 | 34 / 21 | |
| 29.2.2 | 34 / 21 | |
| 29.2.1 | 34 / 20 | |
| 29.2.0 | 34 / 20 | |
| 29.1.1 | 34 / 20 | |
| 29.1.0 | 34 / 20 | |
| 29.0.0 | 34 / 20 | |
| 28.7.42 | 34 / 20 | |
| 28.7.41 | 34 / 20 | |
| 28.7.40 | 34 / 20 | |
| 28.7.39 | 34 / 20 | |
| 28.7.38 | 34 / 20 | |
| 28.7.37 | 34 / 20 | |
| 28.7.36 | 34 / 20 | |
| 28.7.35 | 34 / 20 | |
| 28.7.34 | 34 / 20 | |
| 28.7.33 | 34 / 20 | |
| 28.7.32 | 34 / 20 | |
| 28.7.31 | 34 / 20 | |
| 28.7.30 | 34 / 20 | |
| 28.7.29 | 34 / 20 | |
| 28.7.28 | 34 / 20 | |
| 28.7.27 | 35 / 20 | |
| 28.7.26 | 35 / 20 | |
| 28.7.25 | 35 / 20 | |
| 28.7.24 | 35 / 19 | |
| 28.7.23 | 35 / 19 | |
| 28.7.22 | 35 / 19 | |
| 28.7.21 | 35 / 19 | |
| 28.7.20 | 35 / 19 | |
| 28.7.19 | 36 / 19 | |
| 28.7.18 | 36 / 19 | |
| 28.7.17 | 37 / 19 | |
| 28.7.16 | 37 / 19 | |
| 28.7.14 | 37 / 19 | |
| 28.7.13 | 37 / 19 | |
| 28.7.12 | 37 / 19 | |
| 28.7.11 | 37 / 19 | |
| 28.7.10 | 37 / 19 | |
| 28.7.9 | 37 / 19 |
v29.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.7.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v28.7.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.