@ckeditor/ckeditor5-uploadcare SEE LICENSE IN LICENSE.md 5 versions

@ckeditor/ckeditor5-uploadcare

npm Homepage

Uploadcare feature for CKEditor 5.

Versions

SEE LICENSE IN LICENSE.md

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ckeditor

Keywords

CKEditorckeditor5ckeditor 5WYSIWYGWYSIWYWtextrich-textrichtexteditoreditinghtmloperational transformationotUploadcareframework

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@uploadcare/file-uploader	AI (dependencies): This is the official Uploadcare file uploader SDK, expected and legitimate for a CKEditor Uploadcare integration plugin.	ai	2026/04/26
dependencies	unvetted-dep:@uploadcare/upload-client	AI (dependencies): This is the official Uploadcare upload client SDK, expected and legitimate for a CKEditor Uploadcare integration plugin.	ai	2026/04/26
phantom-deps	phantom-dep:@ckeditor/ckeditor5-icons	AI (phantom-deps): Icons package is a same-org dependency used in build/config context; not directly imported in source but legitimately declared as a dep in the CKEditor5 monorepo pattern.	ai	2026/04/25
phantom-deps	phantom-dep:@uploadcare/upload-client	AI (phantom-deps): Referenced in config files as documented; legitimate dependency for the Uploadcare integration. Not a phantom in the malicious sense.	ai	2026/04/25
provenance	no-provenance	AI (provenance): CKEditor5 packages are published by an established vendor (CKSource); lack of Sigstore provenance is common and not a risk signal for this publisher.	ai	2026/04/25

Versions (showing 5 of 5)

Version	Deps	Published
48.2.0	9 / 0	2026-06-02
48.1.1	9 / 0	2026-05-18
48.1.0	9 / 0	2026-05-13
48.0.1	9 / 0	2026-04-22
48.0.0	9 / 0	2026-03-31

v48.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v48.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v48.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v48.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v48.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.