@blueprintjs/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Blueprint ships full source in its package (src/ in files array). Large file counts are expected for this component library across version bumps. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): react-uid and use-sync-external-store are legitimate, well-known React ecosystem packages appropriate for a UI component library. Addition is consistent with documented React 18 compatibility work. | ai | |
| provenance | no-provenance | AI (provenance): Established Palantir package with long history; lack of Sigstore attestation is a best-practice gap, not a security risk for this publisher. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @blueprintjs/core is the official Palantir Blueprint UI library, not a typosquat of 'cors'. The name match is purely coincidental; this is a stable false positive for this scoped package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Blueprint is a mature Palantir UI library; dormancy periods are consistent with the project's development cadence. No signs of account takeover — deps, scripts, and structure are all consistent with prior approved versions. | ai | |
| dependencies | unvetted-dep:@popperjs/core | AI (dependencies): @popperjs/core is a well-known positioning library; its use in a UI component library like @blueprintjs/core is expected and legitimate. | ai | |
| phantom-deps | phantom-dep:normalize.css | AI (phantom-deps): normalize.css is a CSS-only dependency used in build/sass compilation; not directly imported in JS is expected for CSS deps in UI libraries. | ai |
Versions (showing 51 of 75)
| Version | Deps | Published |
|---|---|---|
| 6.12.0 | 10 / 23 | |
| 6.11.3 | 10 / 23 | |
| 6.11.2 | 10 / 23 | |
| 6.11.1 | 10 / 23 | |
| 6.11.0 | 10 / 23 | |
| 6.10.0 | 10 / 23 | |
| 6.9.1 | 10 / 23 | |
| 6.9.0 | 10 / 23 | |
| 6.6.0 | 9 / 17 | |
| 6.5.0 | 9 / 17 | |
| 6.4.1 | 9 / 17 | |
| 6.3.2 | 9 / 16 | |
| 6.3.1 | 9 / 16 | |
| 6.3.0 | 9 / 16 | |
| 6.2.1 | 9 / 16 | |
| 6.2.0 | 9 / 16 | |
| 6.1.0 | 9 / 16 | |
| 6.0.0 | 9 / 16 | |
| 5.19.1 | 10 / 16 | |
| 5.19.0 | 10 / 16 | |
| 5.18.0 | 10 / 16 | |
| 5.17.6 | 10 / 16 | |
| 5.17.5 | 10 / 16 | |
| 5.17.4 | 10 / 16 | |
| 5.17.3 | 10 / 16 | |
| 5.17.2 | 10 / 16 | |
| 5.17.1 | 10 / 16 | |
| 5.17.0 | 10 / 16 | |
| 5.16.6 | 10 / 16 | |
| 5.16.5 | 10 / 16 | |
| 5.16.4 | 10 / 16 | |
| 5.16.3 | 10 / 16 | |
| 5.16.2 | 10 / 16 | |
| 5.16.1 | 10 / 14 | |
| 5.16.0 | 10 / 14 | |
| 5.15.0 | 10 / 14 | |
| 5.14.2 | 10 / 14 | |
| 5.14.1 | 10 / 14 | |
| 5.14.0 | 10 / 14 | |
| 5.13.1 | 10 / 14 | |
| 5.13.0 | 10 / 14 | |
| 5.12.0 | 10 / 14 | |
| 5.11.0 | 10 / 14 | |
| 5.10.5 | 10 / 14 | |
| 5.10.4 | 10 / 14 | |
| 5.10.3 | 10 / 14 | |
| 5.10.2 | 10 / 14 | |
| 5.10.1 | 10 / 14 | |
| 5.10.0 | 10 / 14 | |
| 5.9.1 | 10 / 14 | |
| 5.9.0 | 10 / 14 |
v6.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: blueprintjs.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: blueprintjs.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: blueprintjs.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: blueprintjs.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.