← Home

@cloudscape-design/components

npm Repository Homepage
6
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

awsui-ci

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): Rapidly versioned large component library; new source files reflect new components, not injected code. ai
publish-pattern dormant-publish AI (publish-pattern): Active package with 1296 versions; dormant-publish is a false positive for this high-frequency publisher. ai
dependencies unvetted-dep:@cloudscape-design/test-utils-core AI (dependencies): First-party AWS Cloudscape package; stable dependency. ai
dependencies unvetted-dep:@cloudscape-design/theming-runtime AI (dependencies): First-party AWS Cloudscape package; stable dependency. ai
dependencies unvetted-dep:mnth AI (dependencies): Legitimate calendar utility; stable dependency of this package across versions. ai
dependencies unvetted-dep:@cloudscape-design/component-toolkit AI (dependencies): First-party AWS Cloudscape package; stable dependency. ai
provenance no-provenance AI (provenance): Established AWS CI publisher; lack of Sigstore provenance is common and not a risk signal here. ai
dependencies unvetted-dep:@cloudscape-design/collection-hooks AI (dependencies): First-party AWS Cloudscape package; stable dependency. ai
dependencies unvetted-dep:weekstart AI (dependencies): Legitimate week-start locale utility; stable dependency of this package. ai

Versions (showing 6 of 6)

Version Deps Published
3.0.1302 17 / 0
3.0.1295 17 / 0
3.0.1287 17 / 0
3.0.1286 17 / 0
3.0.1271 17 / 0
3.0.1256 17 / 0

v3.0.1302

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1295

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1271

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.1256

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.