@darajs/ui-causal-graph-editor
CausalGraph editor for the Dara UI framework
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Package transitioned to GitHub Actions CI publishing with SLSA attestation; consistent with org-wide CI/CD adoption. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Legitimate UI component library; sparse README/keywords are a style choice, not spam indicators. | ai | |
| dependencies | unvetted-dep:d3-dag | AI (dependencies): Legitimate D3 DAG layout library; stable dependency for a causal graph editor. | ai | |
| dependencies | unvetted-dep:vis-data | AI (dependencies): Legitimate vis.js data library; stable dependency for graph visualization. | ai | |
| phantom-deps | phantom-dep:graphology-layout-forceatlas2 | AI (phantom-deps): Graph layout lib consistent with package purpose; likely used indirectly via bundled output. | ai | |
| phantom-deps | phantom-dep:polished | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:vis-data | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:cytoscape | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:react-dnd | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:use-immer | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:graphology | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:vis-network | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:immer | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:svg-path-parser | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:@darajs/ui-icons | AI (phantom-deps): Same-org sibling package in causalens/dara monorepo. | ai | |
| phantom-deps | phantom-dep:@darajs/ui-utils | AI (phantom-deps): Same-org sibling package in causalens/dara monorepo. | ai | |
| phantom-deps | phantom-dep:fontfaceobserver | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:@darajs/ui-widgets | AI (phantom-deps): Same-org sibling package in causalens/dara monorepo. | ai | |
| phantom-deps | phantom-dep:react-dnd-html5-backend | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:graphology-layout-noverlap | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:graphology-dag | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:d3-dag | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:comlink | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai | |
| phantom-deps | phantom-dep:d3-scale | AI (phantom-deps): Monorepo build artifact; deps referenced via bundler config, not direct imports. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 1.28.2 | 31 / 38 | |
| 1.28.1 | 31 / 38 | |
| 1.28.0 | 31 / 38 | |
| 1.27.1 | 31 / 38 | |
| 1.27.0 | 31 / 38 | |
| 1.26.13 | 31 / 38 | |
| 1.26.12 | 31 / 38 | |
| 1.26.11 | 31 / 39 | |
| 1.26.10 | 31 / 39 | |
| 1.26.9 | 31 / 39 | |
| 1.26.8 | 31 / 39 | |
| 1.26.7 | 31 / 39 | |
| 1.26.6 | 31 / 39 | |
| 1.21.25 | 31 / 39 | |
| 1.21.24 | 31 / 39 | |
| 1.21.23 | 31 / 39 | |
| 1.21.22 | 31 / 39 | |
| 1.21.21 | 31 / 39 | |
| 1.21.20 | 31 / 39 | |
| 1.21.19 | 31 / 39 | |
| 1.21.18 | 31 / 39 | |
| 1.21.17 | 31 / 39 | |
| 1.21.16 | 31 / 39 | |
| 1.21.15 | 31 / 39 | |
| 1.21.14 | 31 / 39 | |
| 1.21.13 | 31 / 39 | |
| 1.21.12 | 31 / 39 | |
| 1.21.11 | 31 / 39 | |
| 1.21.10 | 31 / 39 | |
| 1.21.9 | 31 / 39 | |
| 1.21.8 | 31 / 39 | |
| 1.21.7 | 31 / 39 | |
| 1.21.6 | 31 / 39 | |
| 1.21.5 | 31 / 39 | |
| 1.21.4 | 31 / 39 | |
| 1.21.3 | 31 / 39 | |
| 1.21.2 | 31 / 39 | |
| 1.21.1 | 31 / 39 | |
| 1.21.0 | 31 / 39 | |
| 1.20.3 | 31 / 39 | |
| 1.20.2 | 31 / 39 |
v1.28.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.28.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.6
2 findingsThis version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.21.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.