@compilot/react-sdk
ComPilot React SDK
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@nexeraid/logger | AI (dependencies): Internal org dependency (@nexeraid/*); stable pattern across versions of this package. | ai | |
| dependencies | unvetted-dep:@nexeraid/identity-api-client | AI (dependencies): Internal org dependency (@nexeraid/*); stable pattern across versions of this package. | ai | |
| provenance | no-provenance | AI (provenance): Established SDK with 367 versions; lack of provenance is consistent across all prior releases. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): SDK bundle pattern; zod likely used in type/config files rather than direct imports. | ai | |
| phantom-deps | phantom-dep:@nexeraid/identity-api-client | AI (phantom-deps): Internal org dependency; SDK bundle pattern makes phantom-dep a stable false positive. | ai | |
| phantom-deps | phantom-dep:pino | AI (phantom-deps): Logging dependency used transitively via @nexeraid/logger; phantom-dep is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:@nexeraid/logger | AI (phantom-deps): Internal org dependency; likely re-exported or used in config, not a direct import. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 2.229.0 | 6 / 5 | |
| 2.226.0 | 6 / 5 | |
| 2.224.0 | 6 / 5 | |
| 2.223.0 | 6 / 5 | |
| 2.222.0 | 6 / 5 | |
| 2.221.0 | 6 / 5 | |
| 2.216.0 | 6 / 5 | |
| 2.215.0 | 6 / 5 | |
| 2.214.0 | 6 / 5 | |
| 2.211.0 | 6 / 5 | |
| 2.203.0 | 6 / 5 | |
| 2.200.0 | 6 / 5 | |
| 2.191.0 | 6 / 5 | |
| 2.175.0 | 6 / 5 | |
| 2.171.0 | 6 / 5 | |
| 2.169.0 | 6 / 5 | |
| 2.161.0 | 6 / 5 | |
| 2.155.0 | 6 / 5 | |
| 2.144.0 | 6 / 5 | |
| 2.137.0 | 6 / 5 | |
| 2.135.0 | 6 / 5 | |
| 2.131.0 | 6 / 5 |
v2.229.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.226.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.224.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.223.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.222.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.221.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.216.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.215.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.214.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.211.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.203.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.200.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.191.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.175.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.171.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.169.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.161.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.155.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.144.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.137.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.135.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.131.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.