@databricks/appkit — Greenflagged

Build Databricks Apps faster with our brand-new Node.js + React SDK. Built for humans and AI.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

fjakobsstevenxu-dbchrisst44rhatert

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Databricks org package published via GitHub Actions CI; individual maintainer removal reflects CI-managed publishing, not a takeover.	ai	2026/06/06
phantom-deps	phantom-dep:@standard-schema/spec	AI (phantom-deps): Schema spec package likely used as a type-only/peer dependency; stable false positive for this package.	ai	2026/06/06
publish-pattern	new-deps-added	AI (publish-pattern): js-yaml and get-port are established, widely-used packages with no known malicious history.	ai	2026/05/26
dependencies	unvetted-dep:@databricks/sdk-experimental	AI (dependencies): First-party Databricks SDK package; stable dependency for this package family.	ai	2026/05/22
dependencies	unvetted-dep:@databricks/lakebase	AI (dependencies): First-party Databricks package; stable dependency for this package family.	ai	2026/05/22
install-scripts	install-script:postinstall	AI (install-scripts): Runs a local node script for CLI setup; no network fetch or shell exec; stable pattern for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@types/semver	AI (phantom-deps): @types/semver is a type declaration package; not directly imported at runtime by convention.	ai	2026/04/29