@backstage/core-components
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): parse5/rehype-raw/rehype-sanitize are legitimate HTML processing libs consistent with markdown rendering in this package. | ai | |
| dependencies | unvetted-dep:@backstage/theme | AI (dependencies): First-party Backstage package from the same monorepo; no supply-chain risk. | ai | |
| dependencies | unvetted-dep:@react-hookz/web | AI (dependencies): Popular React hooks library with strong community adoption; legitimate utility dependency. | ai | |
| dependencies | unvetted-dep:react-idle-timer | AI (dependencies): Established React idle detection library; legitimate UI dependency. | ai | |
| dependencies | unvetted-dep:react-sparklines | AI (dependencies): Well-known React charting library; legitimate UI component dependency. | ai | |
| dependencies | unvetted-dep:react-full-screen | AI (dependencies): Standard React fullscreen API wrapper; legitimate UI dependency. | ai | |
| dependencies | unvetted-dep:@material-ui/icons | AI (dependencies): Official Material-UI icons package; standard dependency for MUI v4 component libraries. | ai | |
| dependencies | unvetted-dep:@material-table/core | AI (dependencies): Maintained fork of material-table; widely used in Backstage ecosystem for data tables. | ai | |
| dependencies | unvetted-dep:@types/react-sparklines | AI (dependencies): TypeScript type definitions for react-sparklines; no runtime risk. | ai | |
| dependencies | unvetted-dep:@backstage/version-bridge | AI (dependencies): First-party Backstage package from the same monorepo; no supply-chain risk. | ai | |
| dependencies | unvetted-dep:@date-io/core | AI (dependencies): Well-known date adapter utility used by Material-UI date pickers; legitimate dependency for a UI component library. | ai | |
| dependencies | unvetted-dep:linkify-react | AI (dependencies): Standard React linkification library; widely used and legitimate for a UI component library. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): Well-known observable utility; legitimate dependency in the Backstage ecosystem. | ai | |
| dependencies | unvetted-dep:@material-ui/lab | AI (dependencies): Official Material-UI lab package; standard dependency for MUI v4 component libraries. | ai | |
| phantom-deps | phantom-dep:pluralize | AI (phantom-deps): pluralize is a legitimate utility declared as a dependency; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:@date-io/core | AI (phantom-deps): @date-io/core is a legitimate date adapter library; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:zen-observable | AI (phantom-deps): zen-observable is a legitimate observable library; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:@backstage/config | AI (phantom-deps): Same-org @backstage/config is used via configSchema; phantom detection is expected and benign. | ai | |
| phantom-deps | phantom-dep:@types/react-sparklines | AI (phantom-deps): Type-only package loaded by convention in TypeScript projects; phantom detection is a false positive. | ai | |
| provenance | no-provenance | AI (provenance): Backstage monorepo packages historically publish without Sigstore provenance; this is consistent across all versions and not a risk signal for this package. | ai | |
| phantom-deps | phantom-dep:linkifyjs | AI (phantom-deps): linkifyjs is a peer/config dependency of linkify-react; phantom detection is expected for this package structure. | ai | |
| phantom-deps | phantom-dep:parse5 | AI (phantom-deps): parse5 is a legitimate HTML parser declared as a dependency in this large UI library; phantom detection is a false positive for this package. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 0.18.10 | 42 / 27 | |
| 0.18.9 | 42 / 26 | |
| 0.18.8 | 42 / 26 | |
| 0.18.7 | 42 / 26 | |
| 0.18.6 | 42 / 26 | |
| 0.18.3 | 39 / 26 | |
| 0.18.0 | 39 / 26 | |
| 0.17.5 | 38 / 25 | |
| 0.17.4 | 38 / 25 | |
| 0.17.3 | 38 / 25 | |
| 0.17.2 | 38 / 25 |
v0.18.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.