@coursebuilder/ui
3
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
joelhooks
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/md5 | AI (phantom-deps): Type-only package for md5 which is a direct dep; phantom detection is a false positive here. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-compose-refs | AI (phantom-deps): Radix internal dep used by convention; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@codemirror/lang-javascript | AI (phantom-deps): CodeMirror language extension loaded by config; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-collection | AI (phantom-deps): Radix internal dep used by convention; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-context | AI (phantom-deps): Radix internal dep used by convention; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@codemirror/language | AI (phantom-deps): CodeMirror extension loaded by convention/config; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@codemirror/commands | AI (phantom-deps): CodeMirror extension loaded by convention/config; stable FP for this UI lib. | ai | |
| phantom-deps | phantom-dep:@codemirror/search | AI (phantom-deps): CodeMirror extension loaded by convention/config, not direct import; stable FP for this UI lib. | ai | |
| dependencies | unvetted-dep:y-codemirror.jh | AI (dependencies): Personal fork of y-codemirror by the same author (joelhooks/joel); consistent with collaborative editor use case in this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped monorepo UI package; missing metadata is typical for internal/monorepo packages, not a spam indicator. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo scoped package; missing description is cosmetic, not a risk signal. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat qs; edit-distance match is spurious. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat pg; edit-distance match is spurious. | ai | |
| phantom-deps | phantom-dep:y-protocols | AI (phantom-deps): Collaborative editing dep; referenced transitively, stable false positive. | ai | |
| phantom-deps | phantom-dep:react-wrap-balancer | AI (phantom-deps): UI library pattern; referenced in config, stable false positive. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer-style dep in UI library; not directly imported but legitimately declared. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): UI component library; deps used transitively or in config files is expected pattern. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat yup; edit-distance match is spurious. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat joi; edit-distance match is spurious. | ai | |
| phantom-deps | phantom-dep:y-prosemirror | AI (phantom-deps): Collaborative editing dep; referenced transitively, stable false positive. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped package @coursebuilder/ui cannot typosquat uuid; edit-distance match is spurious. | ai |
v2.0.10
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.7
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.6
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.