@backstage/plugin-scaffolder-react

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

patrikofrebenmarcuseide

Keywords

backstage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps are established, reputable packages consistent with a major version UI overhaul.	ai	2026/05/20
provenance	no-provenance	AI (provenance): Provenance is aspirational; absence is not a security signal for established packages.	ai	2026/05/09
dependencies	unvetted-dep:zen-observable	AI (dependencies): Stable observable library used by Backstage ecosystem; phantom-dep finding confirms it's a config-level reference.	ai	2026/05/02
dependencies	unvetted-dep:@material-ui/lab	AI (dependencies): Pinned alpha version of MUI lab; standard Backstage v4 MUI dependency, stable across versions.	ai	2026/05/02
phantom-deps	phantom-dep:zen-observable	AI (phantom-deps): zen-observable is a declared runtime dep; phantom-dep heuristic is a false positive for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@backstage/theme	AI (phantom-deps): Same-org Backstage package; phantom-dep detection is a stable false positive for this monorepo plugin.	ai	2026/04/27
phantom-deps	phantom-dep:ajv	AI (phantom-deps): ajv is used via @rjsf/validator-ajv8 and config; phantom-dep is a stable false positive here.	ai	2026/04/27
phantom-deps	phantom-dep:@backstage/catalog-client	AI (phantom-deps): Same-org Backstage package; phantom-dep detection is a stable false positive for this monorepo plugin.	ai	2026/04/27
phantom-deps	phantom-dep:@types/json-schema	AI (phantom-deps): Type-only package loaded by convention; phantom-dep false positive for this package.	ai	2026/04/27
phantom-deps	phantom-dep:immer	AI (phantom-deps): immer is a peer/transitive dep of use-immer; phantom-dep is a stable false positive here.	ai	2026/04/27

Versions (showing 14 of 14)

Version	Deps	Published
2.0.0	39 / 17	2026-05-19
1.20.1	36 / 17	2026-04-14
1.20.0	36 / 17	2026-03-17
1.19.7	36 / 17	2026-02-17
1.19.6	36 / 16	2026-01-28
1.19.5	36 / 16	2026-01-20
1.19.4	36 / 16	2025-12-16
1.19.3	36 / 17	2025-11-18
1.19.2	36 / 17	2025-10-14
1.19.1	36 / 17	2025-09-16
1.19.0	36 / 17	2025-08-19
1.18.0	36 / 17	2025-07-15
1.17.0	36 / 17	2025-06-17
1.16.0	36 / 17	2025-05-20

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.