@backstage/plugin-org-react

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

patrikofrebenmarcuseide

Keywords

backstage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	no-description	AI (npm-metadata): Backstage monorepo plugin; description omitted by design, stable across versions.	ai	2026/05/26
provenance	no-provenance	AI (provenance): Backstage org publishes without Sigstore; not a security concern for this established package.	ai	2026/05/26
dependencies	unvetted-dep:@backstage/core-plugin-api	AI (dependencies): @backstage/core-plugin-api is a core dependency of the official Backstage framework; expected and legitimate for this package.	ai	2026/04/25
dependencies	unvetted-dep:@material-ui/lab	AI (dependencies): @material-ui/lab is a well-known, widely-used Material UI package; stable false positive for this Backstage plugin.	ai	2026/04/25
phantom-deps	phantom-dep:@backstage/catalog-client	AI (phantom-deps): Monorepo publishing pattern; @backstage/catalog-client is a same-org dep that may be used indirectly. Not a security concern.	ai	2026/04/25
dependencies	unvetted-dep:@backstage/plugin-catalog-react	AI (dependencies): @backstage/plugin-catalog-react is a standard Backstage plugin dependency; expected and legitimate for this package.	ai	2026/04/25
dependencies	unvetted-dep:@material-ui/icons	AI (dependencies): @material-ui/icons is a well-known, widely-used Material UI package; stable false positive for this Backstage plugin.	ai	2026/04/25