@crystaldesign/diva-backoffice
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @google/genai is Google's official GenAI SDK; legitimate feature addition for a backoffice UI library. | ai | |
| provenance | no-provenance | AI (provenance): Long-established publisher with consistent release cadence; no provenance is a known gap for this package family. | ai | |
| dependencies | unvetted-dep:@crystaldesign/diva-core | AI (dependencies): Internal crystaldesign ecosystem dep; consistent across all versions of this package. | ai | |
| dependencies | unvetted-dep:@crystaldesign/spreadsheet | AI (dependencies): Internal crystaldesign ecosystem dep; consistent across all versions of this package. | ai | |
| phantom-deps | phantom-dep:@crystaldesign/media-upload | AI (phantom-deps): Same-org sibling; likely re-exported or lazy-loaded. | ai | |
| phantom-deps | phantom-dep:react-infinite-scroll-component | AI (phantom-deps): Referenced in config; large UI lib with dynamic imports. | ai | |
| phantom-deps | phantom-dep:csv | AI (phantom-deps): Large UI library; deps referenced in config/re-exports, not direct imports. Stable FP pattern. | ai | |
| phantom-deps | phantom-dep:flat | AI (phantom-deps): Same as above — config-referenced dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Same as above — config-referenced dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:jsonpath | AI (phantom-deps): Same as above — config-referenced dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:fast-sort | AI (phantom-deps): Same as above — config-referenced dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:object-hash | AI (phantom-deps): Same as above — config-referenced dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped, loaded by convention; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:react-org-tree | AI (phantom-deps): Config-referenced dep, stable FP for this large UI library. | ai | |
| phantom-deps | phantom-dep:ag-charts-react | AI (phantom-deps): Config-referenced dep, stable FP for this large UI library. | ai | |
| phantom-deps | phantom-dep:fast-json-patch | AI (phantom-deps): Config-referenced dep, stable FP for this large UI library. | ai | |
| phantom-deps | phantom-dep:@ant-design/icons | AI (phantom-deps): Config-referenced dep, stable FP for this large UI library. | ai | |
| phantom-deps | phantom-dep:react-collapsible | AI (phantom-deps): Config-referenced dep, stable FP for this large UI library. | ai | |
| phantom-deps | phantom-dep:react-error-boundary | AI (phantom-deps): Config-referenced dep, stable FP for this large UI library. | ai | |
| phantom-deps | phantom-dep:react-zoom-pan-pinch | AI (phantom-deps): Config-referenced dep, stable FP for this large UI library. | ai | |
| phantom-deps | phantom-dep:@crystaldesign/diva-utils | AI (phantom-deps): Same-org dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@crystaldesign/rtf-editor | AI (phantom-deps): Same-org dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@crystaldesign/content-box | AI (phantom-deps): Same-org dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@crystaldesign/content-item | AI (phantom-deps): Same-org dep, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@google/model-viewer | AI (phantom-deps): Declared in package.json as runtime dep; phantom-dep heuristic false positive for config-referenced deps. | ai | |
| phantom-deps | phantom-dep:ag-charts-community | AI (phantom-deps): Declared in package.json as runtime dep; phantom-dep heuristic false positive for config-referenced deps. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Stable pattern for this private commercial package family. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Private commercial component library; missing metadata is consistent across all versions, not a malice indicator. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 26.5.0 | 32 / 8 | |
| 26.4.7 | 31 / 8 | |
| 26.4.5 | 31 / 8 | |
| 26.4.4 | 31 / 8 | |
| 26.4.3 | 31 / 8 | |
| 26.4.1 | 31 / 8 | |
| 26.4.0 | 31 / 8 | |
| 26.3.2 | 30 / 8 | |
| 26.2.0 | 30 / 8 | |
| 26.1.2 | 30 / 8 | |
| 26.1.1 | 30 / 8 | |
| 25.16.2 | 30 / 8 | |
| 25.16.1 | 30 / 8 | |
| 25.16.0 | 30 / 8 | |
| 25.14.2 | 30 / 8 | |
| 25.13.6 | 30 / 8 | |
| 25.13.5 | 30 / 8 | |
| 25.13.4 | 30 / 8 | |
| 25.13.3 | 30 / 8 | |
| 25.13.2 | 30 / 8 |
v26.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.14.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v25.13.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v25.13.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.