@atom8n/design-system
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:xss | AI (phantom-deps): xss is a declared runtime dependency; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:reka-ui | AI (phantom-deps): reka-ui is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@n8n/utils | AI (phantom-deps): @n8n/utils is a declared runtime dependency (aliased); phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:parse-diff | AI (phantom-deps): parse-diff is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:vue-router | AI (phantom-deps): vue-router is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it | AI (phantom-deps): markdown-it is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:element-plus | AI (phantom-deps): element-plus is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:sanitize-html | AI (phantom-deps): sanitize-html is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@n8n/composables | AI (phantom-deps): @n8n/composables is a declared runtime dependency (aliased); phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-emoji | AI (phantom-deps): markdown-it-emoji is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:is-emoji-supported | AI (phantom-deps): is-emoji-supported is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:vue-boring-avatars | AI (phantom-deps): vue-boring-avatars is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@tanstack/vue-table | AI (phantom-deps): @tanstack/vue-table is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-task-lists | AI (phantom-deps): markdown-it-task-lists is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@internationalized/date | AI (phantom-deps): @internationalized/date is a declared runtime dependency; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:markdown-it-link-attributes | AI (phantom-deps): markdown-it-link-attributes is a declared runtime dependency; phantom-dep heuristic false positive. | ai |
v2.5.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.