@commercetools/nimbus
To install dependencies:
3
Versions
—
License
Yes
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
commercetools-adminemmenkohajoeichlertdeekensjenschudechukwuemeka
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @react-aria/utils is a well-known, established React Aria utility; not a suspicious addition. | ai | |
| phantom-deps | phantom-dep:@react-aria/utils | AI (phantom-deps): Bundled react-aria ecosystem dep; phantom detection is a stable false positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large file additions are source maps and compiled chunks from new UI components; consistent with normal build output for this package. | ai | |
| phantom-deps | phantom-dep:is-hotkey | AI (phantom-deps): Keyboard shortcut utility for UI components; referenced in config, stable false positive. | ai | |
| phantom-deps | phantom-dep:escape-html | AI (phantom-deps): HTML escaping utility for UI components; stable false positive. | ai | |
| phantom-deps | phantom-dep:use-debounce | AI (phantom-deps): React hook for debouncing; stable false positive for this UI library. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Runs chakra typegen conditionally on dist file existence; standard Chakra UI theme typing step, stable for this package. | ai | |
| phantom-deps | phantom-dep:@react-aria/interactions | AI (phantom-deps): React Aria interaction primitives; stable false positive for this UI library. | ai | |
| phantom-deps | phantom-dep:@github-ui/storybook-addon-performance-panel | AI (phantom-deps): Storybook dev tooling; referenced in config only, stable false positive. | ai | |
| phantom-deps | phantom-dep:@emotion/is-prop-valid | AI (phantom-deps): Emotion CSS-in-JS utility; stable false positive for Chakra-based UI library. | ai | |
| phantom-deps | phantom-dep:@chakra-ui/cli | AI (phantom-deps): Used by postinstall for chakra typegen; referenced in scripts, not direct imports. | ai | |
| phantom-deps | phantom-dep:dequal | AI (phantom-deps): UI library dependency likely used transitively or in config; stable false positive. | ai |
v3.0.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.11.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.0
2 findings
HIGH
Package has 'postinstall' script
install-scripts
Script: test -f ./dist/index.es.js && chakra typegen ./dist/index.es.js || true
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.