@boostxyz/boost-ui — Greenflagged

## Best Practice

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

moimikeyccashwelljamieboostquaziasammccord

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/components/Avatar/Avatar.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Dialog/Dialog.js	AI (source-diff): Standard tsup minified ESM build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Skeleton/BaseSkeleton.js	AI (source-diff): Standard tsup minified ESM build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Dialog/BaseDialog.js	AI (source-diff): Standard tsup minified ESM build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Avatar/BaseAvatar.js	AI (source-diff): Standard tsup minified ESM build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Avatar/Avatar.js	AI (source-diff): Standard tsup minified ESM build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Skeleton/Skeleton.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Skeleton/index.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Dialog/index.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Avatar/index.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Dialog/Dialog.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Skeleton/BaseSkeleton.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Dialog/BaseDialog.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Avatar/BaseAvatar.cjs	AI (source-diff): Standard tsup minified build output for Radix UI component.	ai	2026/06/02
source-diff	obfuscated-file:dist/components/Accordion/BaseAccordion.cjs	AI (source-diff): Standard tsup minified bundle output for a React UI component; no malicious patterns.	ai	2026/06/01
source-diff	obfuscated-file:dist/components/Accordion/index.js	AI (source-diff): Standard tsup minified bundle output for a React UI component; no malicious patterns.	ai	2026/06/01
source-diff	obfuscated-file:dist/components/Accordion/BaseAccordion.js	AI (source-diff): Standard tsup minified bundle output for a React UI component; no malicious patterns.	ai	2026/06/01
source-diff	obfuscated-file:dist/components/Accordion/Accordion.js	AI (source-diff): Standard tsup minified bundle output for a React UI component; no malicious patterns.	ai	2026/06/01
source-diff	obfuscated-file:dist/components/Accordion/index.cjs	AI (source-diff): Standard tsup minified bundle output for a React UI component; no malicious patterns.	ai	2026/06/01
source-diff	obfuscated-file:dist/components/Accordion/Accordion.cjs	AI (source-diff): Standard tsup minified bundle output for a React UI component; no malicious patterns.	ai	2026/06/01
source-diff	obfuscated-file:dist/components/IconOrAvatar/IconOrAvatar.cjs	AI (source-diff): Standard tsup minified build output; imports only @radix-ui/react-avatar and react, no malicious patterns.	ai	2026/05/31
source-diff	obfuscated-file:dist/components/IconOrAvatar/index.js	AI (source-diff): Standard tsup minified ESM build output; imports only @radix-ui/react-avatar and react, no malicious patterns.	ai	2026/05/31
source-diff	obfuscated-file:dist/components/IconOrAvatar/IconOrAvatar.js	AI (source-diff): Standard tsup minified ESM build output; imports only @radix-ui/react-avatar and react, no malicious patterns.	ai	2026/05/31
source-diff	obfuscated-file:dist/components/IconOrAvatar/BaseIconOrAvatar.js	AI (source-diff): Standard tsup minified ESM build output; imports only @radix-ui/react-avatar and react, no malicious patterns.	ai	2026/05/31
source-diff	obfuscated-file:dist/components/IconOrAvatar/index.cjs	AI (source-diff): Standard tsup minified build output; imports only @radix-ui/react-avatar and react, no malicious patterns.	ai	2026/05/31
source-diff	obfuscated-file:dist/components/IconOrAvatar/BaseIconOrAvatar.cjs	AI (source-diff): Standard tsup minified build output; imports only @radix-ui/react-avatar and react, no malicious patterns.	ai	2026/05/31
provenance	publisher-changed	AI (provenance): jamieboost is an established publisher (54 approved/0 rejected) within the boostxyz org; transition from moimikey appears to be a legitimate organizational maintainer handoff.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): vaul is a well-known legitimate React drawer library by emilkowalski; adding it to a UI component library is expected and benign.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): jamieboost added within the @boostxyz org by a publisher with clean track record; routine team expansion for an established UI library.	ai	2026/04/24
source-diff	source-size-dropped	AI (source-diff): Size drop from 4MB to 266KB reflects removal of bloated artifacts/bundled output; consistent with package restructuring, not code replacement.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): UI component library using shadcn pattern; adding many component files is expected as the library grows.	ai	2026/04/24
dependencies	unvetted-dep:class-variance-authority	AI (dependencies): class-variance-authority (CVA) is a widely-used library for component variant management. Standard dependency for shadcn/ui-style component libraries.	ai	2026/04/23
dependencies	unvetted-dep:tailwindcss-animate	AI (dependencies): tailwindcss-animate is a common Tailwind CSS animation plugin. Expected dependency for a Tailwind-based UI library.	ai	2026/04/23
dependencies	unvetted-dep:tailwind-merge	AI (dependencies): tailwind-merge is a well-known, widely-used utility for merging Tailwind CSS classes. Stable false positive for this UI library package.	ai	2026/04/23
phantom-deps	phantom-dep:@radix-ui/react-avatar	AI (phantom-deps): Radix UI components may be referenced in config/barrel files without direct imports in every source file. Normal pattern for a component library.	ai	2026/04/23
phantom-deps	phantom-dep:tailwindcss-animate	AI (phantom-deps): Tailwind plugins are referenced in config files (tailwind.config.ts) rather than direct JS imports — this is the expected usage pattern for Tailwind plugins.	ai	2026/04/23
dependencies	unvetted-dep:@radix-ui/react-progress	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-tooltip	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-toggle	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-switch	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-select	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-dialog	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-avatar	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@tanstack/react-table	AI (dependencies): TanStack Table is a widely-used, well-maintained React table library with no known security issues.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-icons	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-tabs	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:sonner	AI (dependencies): sonner is a legitimate, popular React toast notification library. Not a security risk for this UI package.	ai	2026/04/21
dependencies	unvetted-dep:vaul	AI (dependencies): vaul is a legitimate, widely-used React drawer component library. Not a security risk for this UI package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Lack of provenance is common (~88% of npm packages); no other risk signals present to elevate this concern.	ai	2026/04/21
phantom-deps	phantom-dep:@radix-ui/react-switch	AI (phantom-deps): Declared as a dependency and referenced in config files; common pattern in UI libraries. Not a security concern.	ai	2026/04/21
phantom-deps	phantom-dep:@tanstack/react-table	AI (phantom-deps): Declared as a dependency and referenced in config files; common pattern in UI libraries. Not a security concern.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-dropdown-menu	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-toggle-group	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-separator	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21
dependencies	unvetted-dep:@radix-ui/react-accordion	AI (dependencies): Part of the well-known @radix-ui primitive library used extensively in React UI development.	ai	2026/04/21

Versions (showing 33 of 33)

Version	Deps	Published
0.15.1	19 / 19	2024-12-05
0.15.0	19 / 19	2024-12-05
0.14.0	19 / 19	2024-12-03
0.13.2	19 / 19	2024-11-26
0.13.1	19 / 19	2024-11-22
0.13.0	19 / 19	2024-11-22
0.12.1	19 / 19	2024-11-15
0.12.0	19 / 19	2024-11-13
0.11.2	19 / 19	2024-11-12
0.11.1	19 / 19	2024-11-12
0.11.0	19 / 19	2024-11-12
0.10.3	18 / 19	2024-11-07
0.10.2	18 / 19	2024-11-07
0.10.1	18 / 19	2024-11-05
0.9.2	18 / 19	2024-11-01
0.9.1	18 / 19	2024-11-01
0.9.0	18 / 19	2024-11-01
0.8.0	18 / 19	2024-11-01
0.7.0	18 / 19	2024-10-31
0.6.0	18 / 19	2024-10-25
0.5.3	17 / 19	2024-10-16
0.5.2	17 / 19	2024-10-16
0.5.1	17 / 19	2024-10-15
0.4.0	15 / 19	2024-10-15
0.2.6	14 / 19	2024-10-07
0.2.5	14 / 19	2024-10-02
0.2.4	14 / 19	2024-09-30
0.2.3	13 / 19	2024-09-30
0.2.2	12 / 19	2024-09-23
0.2.1	12 / 19	2024-09-23
0.2.0	12 / 19	2024-09-20
0.1.1	12 / 19	2024-09-19
0.1.0	16 / 15	2024-09-18

v0.15.1

2 findings

HIGH Publisher changed: moimikey → jamieboost (on 2024-12-05) provenance

This version was published by a different npm account than previous versions on 2024-12-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.15.0

2 findings

HIGH Publisher changed: moimikey → jamieboost (on 2024-12-05) provenance

This version was published by a different npm account than previous versions on 2024-12-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.14.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.13.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.13.1

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: moimikey → jamieboost (on 2024-11-22, known maintainer) provenance

This version was published by a different npm account (jamieboost) than the most recent previously approved version (moimikey) on 2024-11-22, but jamieboost is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.13.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jamieboost → moimikey (on 2024-11-22, known maintainer) provenance

This version was published by a different npm account (moimikey) than the most recent previously approved version (jamieboost) on 2024-11-22, but moimikey is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.12.1

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jamieboost → moimikey (on 2024-11-15, known maintainer) provenance

This version was published by a different npm account (moimikey) than the most recent previously approved version (jamieboost) on 2024-11-15, but moimikey is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.12.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jamieboost → moimikey (on 2024-11-13, known maintainer) provenance

This version was published by a different npm account (moimikey) than the most recent previously approved version (jamieboost) on 2024-11-13, but moimikey is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.11.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.11.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.11.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: moimikey → jamieboost (on 2024-11-12, known maintainer) provenance

This version was published by a different npm account (jamieboost) than the most recent previously approved version (moimikey) on 2024-11-12, but jamieboost is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.10.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.1

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jamieboost → moimikey (on 2024-11-05, known maintainer) provenance

This version was published by a different npm account (moimikey) than the most recent previously approved version (jamieboost) on 2024-11-05, but moimikey is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: moimikey → jamieboost (on 2024-11-01, known maintainer) provenance

This version was published by a different npm account (jamieboost) than the most recent previously approved version (moimikey) on 2024-11-01, but jamieboost is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.8.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: moimikey → jamieboost (on 2024-11-01, known maintainer) provenance

This version was published by a different npm account (jamieboost) than the most recent previously approved version (moimikey) on 2024-11-01, but jamieboost is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

28 findings

HIGH New obfuscated file: dist/components/Accordion/Accordion.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Avatar/Avatar.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Accordion/BaseAccordion.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Avatar/BaseAvatar.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Skeleton/BaseSkeleton.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Dialog/Dialog.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/DropdownMenu/DropdownMenu.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Accordion/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Avatar/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Dialog/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/DropdownMenu/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Skeleton/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Toast/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Tooltip/index.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Skeleton/Skeleton.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Toast/Toast.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Tooltip/Tooltip.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Accordion/Accordion.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Avatar/Avatar.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Accordion/BaseAccordion.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Avatar/BaseAvatar.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Skeleton/BaseSkeleton.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Dialog/Dialog.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/DropdownMenu/DropdownMenu.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Accordion/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Avatar/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/components/Dialog/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.2

30 findings