@blocknote/react
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/defaultCommentEditorSchema-Cow33c_f.cjs | AI (source-diff): Standard Vite CJS bundle output; minified but readable React component code. | ai | |
| source-diff | obfuscated-file:dist/FloatingThreadController-BDiAihkl.cjs | AI (source-diff): Standard Vite CJS bundle output; minified but readable React component code. | ai | |
| source-diff | obfuscated-file:dist/defaultCommentEditorSchema-5lMwQ_SX.cjs | AI (source-diff): Standard Vite CJS bundle output; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/FloatingThreadController-pjc8XgLI.cjs | AI (source-diff): Standard Vite CJS bundle output; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/FloatingThreadController-CIHycitO.cjs | AI (source-diff): Standard Vite/Rollup CJS bundle output with readable code; stable for this package. | ai | |
| phantom-deps | phantom-dep:lodash.merge | AI (phantom-deps): Listed as dependency and used transitively; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@floating-ui/utils | AI (phantom-deps): Declared dependency used by floating-ui internals; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/use-sync-external-store | AI (phantom-deps): Type-only package loaded by convention; stable false positive for this package. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 0.51.4 | 14 / 16 | |
| 0.51.3 | 14 / 16 | |
| 0.51.2 | 14 / 16 | |
| 0.51.1 | 14 / 16 | |
| 0.51.0 | 14 / 16 | |
| 0.50.0 | 14 / 16 | |
| 0.49.0 | 14 / 16 | |
| 0.48.1 | 14 / 17 | |
| 0.48.0 | 14 / 17 |
v0.51.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.51.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.51.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.51.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.51.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.50.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.49.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.