@backstage/plugin-home — Greenflagged

A Backstage plugin that helps you build a home page

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

patrikofrebenmarcuseide

Keywords

backstagehomepage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@material-ui/icons	AI (dependencies): Standard Material-UI icons package; expected in any MUI v4-based Backstage frontend plugin.	ai	2026/04/26
dependencies	unvetted-dep:@backstage/theme	AI (dependencies): Official Backstage theming package from the same org; expected dependency for any Backstage frontend plugin.	ai	2026/04/26
dependencies	unvetted-dep:@material-ui/lab	AI (dependencies): Well-known Material-UI lab package, standard in Backstage v1 frontend plugins using MUI v4.	ai	2026/04/26
dependencies	unvetted-dep:@rjsf/material-ui	AI (dependencies): Legitimate react-jsonschema-form MUI renderer; expected for form-based UI in Backstage plugins.	ai	2026/04/26
dependencies	unvetted-dep:react-grid-layout	AI (dependencies): Popular, well-maintained grid layout library; expected for a customizable home page plugin.	ai	2026/04/26
phantom-deps	phantom-dep:@backstage/config	AI (phantom-deps): Same org scope; referenced in config files as expected for a Backstage plugin. Not a real phantom dependency risk.	ai	2026/04/25
phantom-deps	phantom-dep:@backstage/core-compat-api	AI (phantom-deps): Same org scope; typical Backstage plugin pattern. Not a real phantom dependency risk.	ai	2026/04/25
phantom-deps	phantom-dep:@rjsf/utils	AI (phantom-deps): Referenced in config files; @rjsf/utils is a legitimate peer of @rjsf/core and @rjsf/material-ui already declared as dependencies.	ai	2026/04/25
provenance	no-provenance	AI (provenance): Backstage is a large established OSS project; lack of Sigstore provenance is common and not a meaningful risk signal here.	ai	2026/04/25

Versions (showing 7 of 7)

Version	Deps	Published
0.9.6	24 / 14	2026-05-19
0.9.5	24 / 14	2026-04-22
0.9.4	24 / 14	2026-04-14
0.9.0	23 / 12	2026-01-20
0.8.14	24 / 12	2025-11-18
0.8.11	24 / 12	2025-08-19
0.8.8	24 / 12	2025-05-20

v0.9.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.