@codecademy/brand
Brand component library for Codecademy
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/AppHeader/AppHeaderElements/AppHeaderLiveCoursesDropdown/index.js | AI (source-diff): Long lines are emotion CSS-in-JS compiled output with embedded source maps; standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/InstructorCard/index.js | AI (source-diff): Long lines are Emotion CSS-in-JS compiled output with inline source maps; standard build artifact for this package. | ai | |
| dependencies | unvetted-dep:emojisplosion | AI (dependencies): Known open-source emoji animation library; stable dep for this UI package. | ai | |
| dependencies | unvetted-dep:@splidejs/splide | AI (dependencies): Known open-source carousel library; stable dep for this UI package. | ai | |
| dependencies | unvetted-dep:@splidejs/react-splide | AI (dependencies): Known React wrapper for Splide; stable dep for this UI package. | ai | |
| dependencies | unvetted-dep:@types/recurly__recurly-js | AI (dependencies): Type definitions package; no runtime risk, stable for this package. | ai | |
| dependencies | unvetted-dep:react-freezeframe | AI (dependencies): Known React wrapper for freezeframe; stable dep for this UI package. | ai | |
| dependencies | unvetted-dep:freezeframe | AI (dependencies): Known open-source GIF animation library; stable dep for this UI package. | ai | |
| phantom-deps | phantom-dep:freezeframe | AI (phantom-deps): freezeframe is a declared runtime dep used via react-freezeframe; phantom-dep heuristic fires because it's not directly imported. | ai | |
| phantom-deps | phantom-dep:@types/recurly__recurly-js | AI (phantom-deps): Type-only package loaded by convention; phantom-dep false positive for this package. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 5.8.1 | 17 / 0 | |
| 5.8.0 | 17 / 0 | |
| 5.4.0 | 17 / 0 | |
| 5.3.0 | 17 / 0 | |
| 5.2.0 | 17 / 0 | |
| 5.1.0 | 17 / 0 | |
| 5.0.0 | 17 / 0 | |
| 4.2.3 | 17 / 0 | |
| 4.2.2 | 17 / 0 | |
| 4.2.1 | 17 / 0 | |
| 4.2.0 | 17 / 0 | |
| 4.1.0 | 17 / 0 | |
| 4.0.0 | 17 / 0 | |
| 3.48.2 | 17 / 0 | |
| 3.48.0 | 17 / 0 | |
| 3.47.1 | 17 / 0 | |
| 3.47.0 | 17 / 0 | |
| 3.46.0 | 17 / 0 | |
| 3.45.0 | 17 / 0 | |
| 3.44.0 | 17 / 0 | |
| 3.43.0 | 17 / 0 | |
| 3.42.2 | 17 / 0 | |
| 3.42.1 | 17 / 0 | |
| 3.42.0 | 17 / 0 | |
| 3.41.0 | 17 / 0 | |
| 3.40.1 | 17 / 0 | |
| 3.40.0 | 17 / 0 | |
| 3.39.0 | 17 / 0 | |
| 3.38.3 | 17 / 0 | |
| 3.38.2 | 17 / 0 | |
| 3.38.1 | 17 / 0 | |
| 3.38.0 | 17 / 0 | |
| 3.37.0 | 17 / 0 |
v5.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.48.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.48.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.47.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.47.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.46.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.45.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.44.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.43.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.42.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.42.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.42.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.41.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.40.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.39.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.38.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.38.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.38.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.37.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.