@cloud-ru/uikit-product-icons
## Installation
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/cjs/components/flag-icons/Afghanistan.js | AI (source-diff): Long lines are SVG path data in compiled TypeScript output, not obfuscation. Stable pattern for this icon library. | ai | |
| source-diff | obfuscated-file:dist/esm/components/flag-icons/Afghanistan.js | AI (source-diff): Same as CJS counterpart — SVG path data in compiled ESM output, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Icon library adding flag/logo icon sets; large file counts are expected for this package type. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects new icon categories (flags, logos, sprites); consistent with package purpose. | ai | |
| provenance | no-provenance | AI (provenance): Provenance absence is common; no other risk signals present for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 17.4.0 | 2 / 12 | |
| 17.3.0 | 2 / 12 | |
| 17.2.0 | 2 / 12 | |
| 15.1.1 | 2 / 13 |
v17.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.2.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.