@atlassian/aui
Atlassian User Interface library
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:skatejs | AI (dependencies): Long-standing dependency in this established Atlassian UI package; no malware indicators. | ai | |
| dependencies | unvetted-dep:@atlassian/adg-server-iconfont | AI (dependencies): Same-org Atlassian scoped package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@atlassian/fancy-file-input | AI (dependencies): Same-org Atlassian scoped package; low risk for this publisher. | ai | |
| dependencies | unvetted-dep:skatejs-template-html | AI (dependencies): Long-standing dependency in this established Atlassian UI package; no malware indicators. | ai | |
| dependencies | unvetted-dep:jquery-form | AI (dependencies): Long-standing dependency in this established Atlassian UI package; no malware indicators. | ai | |
| phantom-deps | phantom-dep:css.escape | AI (phantom-deps): Stable false positive for this package; referenced in config but not a runtime risk. | ai | |
| phantom-deps | phantom-dep:@atlassian/tipsy | AI (phantom-deps): Same-org Atlassian dep; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:trim-extra-html-whitespace | AI (phantom-deps): Referenced in config files per finding; stable false positive for this bundled package. | ai | |
| phantom-deps | phantom-dep:@atlassian/adg-server-iconfont | AI (phantom-deps): Same-org scoped package declared as dep but used indirectly; stable false positive for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Long-standing keyboard shortcut parser pattern in AUI; not user-controlled external input. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped @atlassian package; Levenshtein match against short names is a false positive for this namespace. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped @atlassian package; Levenshtein match against short names is a false positive for this namespace. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped @atlassian package; Levenshtein match against short names is a false positive for this namespace. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @atlassian package; Levenshtein match against short names is a false positive for this namespace. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped @atlassian package; Levenshtein match against short names is a false positive for this namespace. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 10.2.0 | 11 / 14 | |
| 10.1.11 | 11 / 14 | |
| 10.0.5 | 12 / 14 | |
| 9.12.13 | 13 / 9 |
v10.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.12.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.