@databricks/appkit-ui
Build Databricks Apps faster with our brand-new Node.js + React SDK. Built for humans and AI.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Large file count consistent with new CLI feature; SLSA provenance attestation covers the release. | ai | |
| phantom-deps | phantom-dep:@standard-schema/spec | AI (phantom-deps): Used as a type/spec dependency; not directly imported at runtime is expected for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Databricks org package published via GitHub Actions CI; maintainer changes reflect org management, not takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are established packages matching the addition of a CLI binary; SLSA provenance confirms CI/CD publish. | ai | |
| phantom-deps | phantom-dep:@hookform/resolvers | AI (phantom-deps): Declared as runtime dep for consumers; referenced in config/re-exports, stable false positive. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Declared as runtime dep for consumers; referenced in config/re-exports, stable false positive. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Declared as runtime dep for consumers; referenced in config/re-exports, stable false positive. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-virtual | AI (phantom-deps): Declared as runtime dep for consumers; referenced in config/re-exports, stable false positive. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-hover-card | AI (dependencies): Standard Radix UI primitive; stable false positive for this UI component library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): Standard Radix UI primitive; stable false positive for this UI component library. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Databricks official package; postinstall is a local node script with no network fetch or obfuscation indicators. | ai | |
| phantom-deps | phantom-dep:echarts | AI (phantom-deps): echarts is explicitly listed as a runtime dependency in package.json; phantom-dep is a false positive here. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 0.38.0 | 50 / 7 | |
| 0.30.1 | 50 / 7 | |
| 0.19.1 | 52 / 7 | |
| 0.17.0 | 52 / 7 | |
| 0.1.4 | 46 / 7 | |
| 0.1.3 | 46 / 7 |
v0.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.