All @blueprintjs/core versions
@blueprintjs/core @6.12.1
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
38
Risk Score
—
License
No
Install Scripts
9
Dependencies
23
Dev Dependencies
1247.1 KB
Package Size
Published
Maintainers
blueprintjs
Keywords
palantirblueprintcomponentsstylesthemeui
Dependencies (9)
| Package | Constraint | Registry Status |
|---|---|---|
| tslib | ~2.6.2 | auto_approved |
| classnames | ^2.3.1 | auto_approved |
| react-popper | ^2.3.0 | auto_approved |
| normalize.css | ^8.0.1 | auto_approved |
| @popperjs/core | ^2.11.8 | pending |
| @blueprintjs/icons | ^6.9.1 | needs_review |
| @floating-ui/react | ^0.27.13 | auto_approved |
| @blueprintjs/colors | ^5.1.16 | auto_approved |
| react-transition-group | ^4.4.5 | auto_approved |
Dev Dependencies (23)
| Package | Constraint | Registry Status |
|---|---|---|
| tsx | ^4.21.0 | auto_approved |
| jsdom | ^27.1.0 | auto_approved |
| react | ^18.3.1 | auto_approved |
| culori | ^4.0.2 | auto_approved |
| enzyme | ^3.11.0 | auto_approved |
| vitest | 4.0.7 | auto_approved |
| react-dom | ^18.3.1 | auto_approved |
| typescript | ~5.9.3 | auto_approved |
| change-case | ^4.1.2 | auto_approved |
| npm-run-all | ^4.1.5 | auto_approved |
| webpack-cli | ^5.1.4 | pending |
| @types/culori | ^4.0.1 | auto_approved |
| style-dictionary | ^5.0.3 | auto_approved |
| react-test-renderer | ^18.3.1 | auto_approved |
| @testing-library/dom | ^10.4.0 | auto_approved |
| @vitejs/plugin-react | ^5.1.0 | auto_approved |
| @testing-library/react | ^16.1.0 | auto_approved |
| @blueprintjs/test-commons | ^4.0.4 | Not imported |
| @testing-library/jest-dom | ^6.9.1 | auto_approved |
| @testing-library/user-event | ^14.6.1 | auto_approved |
| @tokens-studio/sd-transforms | ^2.0.3 | pending |
| @blueprintjs/stylelint-plugin | ^5.2.3 | Not imported |
| @blueprintjs/node-build-scripts | ^10.0.0 | Not imported |
Transitive Dependency Tree
23 transitive deps
max depth 5
├─
@blueprintjs/colors
^5.1.16
→ 5.1.16
├─
@blueprintjs/icons
^6.9.1
├─
@floating-ui/react
^0.27.13
→ 0.27.19
├─
@popperjs/core
^2.11.8
├─
classnames
^2.3.1
→ 2.5.1
├─
normalize.css
^8.0.1
→ 8.0.1
├─
react-popper
^2.3.0
→ 2.3.0
├─
react-transition-group
^4.4.5
→ 4.4.5
├─
tslib
~2.6.2
→ 2.6.3
├─
@babel/runtime
^7.5.5
→ 7.29.2
├─
@floating-ui/react-dom
^2.1.8
→ 2.1.8
├─
@floating-ui/utils
^0.2.11
→ 0.2.11
├─
dom-helpers
^5.0.1
├─
loose-envify
^1.4.0
→ 1.4.0
├─
prop-types
^15.6.2
→ 15.8.1
├─
react-fast-compare
^3.0.1
→ 3.2.2
├─
tabbable
^6.0.0
→ 6.4.0
├─
tslib
~2.6.2
→ 2.6.3
├─
warning
^4.0.2
→ 4.0.3
├─
@floating-ui/dom
^1.7.6
→ 1.7.6
├─
js-tokens
^3.0.0 || ^4.0.0
→ 4.0.0
├─
loose-envify
^1.0.0
→ 1.4.0
├─
loose-envify
^1.4.0
→ 1.4.0
├─
object-assign
^4.1.1
→ 4.1.1
├─
react-is
^16.13.1
→ 16.13.1
├─
@floating-ui/core
^1.7.5
→ 1.7.5
├─
@floating-ui/utils
^0.2.11
→ 0.2.11
├─
js-tokens
^3.0.0 || ^4.0.0
→ 4.0.0
├─
@floating-ui/utils
^0.2.11
→ 0.2.11
Changes from v6.12.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| removed | use-sync-external-store | ^1.2.0 |
| changed | @blueprintjs/icons | ^6.9.0 → ^6.9.1 |
File Changes
16 added
0 removed
56 modified
size delta: +86.9 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed from blueprintjs to CircleCI — an unrelated entity with no prior history on this package. Combined with 832 days dormancy, this is a strong account-takeover signal that generalizes to future versions until resolved. |
SAST Findings (2)
HIGH
Publisher changed: blueprintjs → CircleCI (on 2026-04-23)
provenance
This version was published by a different npm account than previous versions on 2026-04-23. This could indicate a legitimate maintainer transition or an account compromise.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 38. Findings: 1 high (+25), 1 medium (+10), 1 low (+3), 2 info (+0).
Published to npm: