@atlaskit/renderer
Renderer component
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Atlassian migrated to atlassianartifactteam publisher ~426 days ago; apparent dormancy reflects account transition, not inactivity. Package has 1590 versions and is actively maintained. | ai | |
| dependencies | unvetted-peer-dep:@atlaskit/media-core | AI (dependencies): Peer dependency within Atlassian ecosystem; stable for this package's context. | ai | |
| phantom-deps | phantom-dep:@atlaskit/editor-tables | AI (phantom-deps): Same-org phantom dependency typical of Atlassian monorepo structure; no security concern. | ai | |
| phantom-deps | phantom-dep:@atlaskit/pragmatic-drag-and-drop | AI (phantom-deps): Same-org @atlaskit scope phantom dep; consistent with monorepo dependency management patterns for this package. | ai | |
| dependencies | unvetted-dep:react-intl-next | AI (dependencies): react-intl-next is an npm alias for react-intl@^5.18.1, a well-known i18n library. This aliasing pattern is standard in Atlassian packages and poses no security risk. | ai | |
| phantom-deps | phantom-dep:@atlaskit/afm-i18n-platform-editor-renderer | AI (phantom-deps): Same-org @atlaskit scope phantom dep; consistent with monorepo dependency management patterns for this package. | ai | |
| phantom-deps | phantom-dep:@atlaskit/theme | AI (phantom-deps): Same-org @atlaskit scope phantom dep in a large monorepo; declared for peer/tooling resolution without direct import is expected and stable for this package. | ai | |
| phantom-deps | phantom-dep:@atlaskit/feature-gate-js-client | AI (phantom-deps): Same-org @atlaskit scope phantom dep; consistent with monorepo dependency management patterns for this package. | ai | |
| provenance | no-provenance | AI (provenance): Atlassian publishes this package without Sigstore provenance; consistent across all versions. Publisher identity is well-established via track record. | ai |
Versions (showing 11 of 137)
| Version | Deps | Published |
|---|---|---|
| 124.13.1 | 47 / 33 | |
| 124.13.0 | 47 / 33 | |
| 124.12.1 | 47 / 33 | |
| 124.10.4 | 47 / 33 | |
| 124.10.2 | 47 / 33 | |
| 124.9.8 | 46 / 34 | |
| 124.9.7 | 46 / 34 | |
| 124.9.6 | 46 / 34 | |
| 124.9.3 | 46 / 34 | |
| 124.9.1 | 46 / 34 | |
| 124.9.0 | 46 / 34 |
v124.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.9.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.9.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v124.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.