@digilogiclabs/saas-factory-ui
Cross-platform UI component library built for both Next.js web applications and React Native/Expo mobile applications
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): No material changes in diff; established UI library with 101 versions; dormancy consistent with slow-moving internal tooling. | ai | |
| source-diff | obfuscated-file:dist/index.d.mts | AI (source-diff): TypeScript declaration file generated by tsup; long lines are normal for bundled .d.ts output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/index.d.ts | AI (source-diff): TypeScript declaration file generated by tsup; long lines are normal for bundled .d.ts output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index.d.ts | AI (source-diff): TypeScript declaration file generated by tsup; long lines are normal for bundled .d.ts output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/web/index.d.mts | AI (source-diff): TypeScript declaration file generated by tsup; long lines are normal for bundled .d.ts output, not obfuscation. | ai | |
| provenance | missing-githead | AI (provenance): Established package with 101 versions; missing gitHead in one release is low risk given clean diff and no other indicators. | ai | |
| phantom-deps | phantom-dep:@headlessui/react | AI (phantom-deps): UI component library pattern; @headlessui/react is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/forms | AI (phantom-deps): UI component library pattern; @tailwindcss/forms is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@tiptap/starter-kit | AI (phantom-deps): UI component library pattern; @tiptap/starter-kit is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-slot | AI (phantom-deps): UI component library pattern; @radix-ui/react-slot is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-link | AI (phantom-deps): UI component library pattern; @tiptap/extension-link is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-popover | AI (phantom-deps): UI component library pattern; @radix-ui/react-popover is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-image | AI (phantom-deps): UI component library pattern; @tiptap/extension-image is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-radio-group | AI (phantom-deps): UI component library pattern; @radix-ui/react-radio-group is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-text-align | AI (phantom-deps): UI component library pattern; @tiptap/extension-text-align is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:cmdk | AI (phantom-deps): UI component library pattern; cmdk is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:immer | AI (phantom-deps): UI component library pattern; immer is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): UI component library pattern; date-fns is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): UI component library pattern; lodash-es is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): UI component library pattern; tailwindcss is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:react-scroll | AI (phantom-deps): UI component library pattern; react-scroll is a declared dependency used in component implementations. | ai | |
| phantom-deps | phantom-dep:@tiptap/react | AI (phantom-deps): UI component library pattern; @tiptap/react is a declared dependency used in component implementations. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 101 versions and clear GitHub repo; lack of provenance is common and not a security risk here. | ai | |
| dependencies | unvetted-dep:react-scroll | AI (dependencies): react-scroll is a well-known React scrolling library; appropriate dependency for a UI component library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): @radix-ui/react-avatar is a well-known Radix UI primitive; standard dependency for a UI component library. | ai | |
| dependencies | unvetted-dep:@tailwindcss/forms | AI (dependencies): @tailwindcss/forms is an official Tailwind CSS plugin; appropriate for a Tailwind-based UI library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-dropdown-menu | AI (dependencies): @radix-ui/react-dropdown-menu is a well-known Radix UI primitive; standard dependency for a UI component library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-tooltip | AI (dependencies): @radix-ui/react-tooltip is a well-known Radix UI primitive; standard dependency for a UI component library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-select | AI (dependencies): @radix-ui/react-select is a well-known Radix UI primitive; standard dependency for a UI component library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-dialog | AI (dependencies): @radix-ui/react-dialog is a well-known Radix UI primitive; standard dependency for a UI component library. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 1.35.0 | 39 / 34 | |
| 1.34.1 | 39 / 34 | |
| 1.30.3 | 39 / 33 | |
| 1.30.0 | 39 / 33 | |
| 1.29.3 | 39 / 33 | |
| 1.28.1 | 39 / 33 | |
| 1.27.0 | 39 / 33 | |
| 1.26.0 | 39 / 33 | |
| 1.23.0 | 39 / 33 | |
| 1.18.2 | 39 / 33 | |
| 1.18.0 | 39 / 33 | |
| 1.17.0 | 39 / 33 | |
| 1.16.5 | 39 / 33 | |
| 1.16.3 | 39 / 33 | |
| 1.16.2 | 39 / 33 | |
| 1.16.0 | 39 / 33 | |
| 1.13.1 | 39 / 33 | |
| 1.12.0 | 39 / 33 | |
| 1.10.0 | 39 / 33 | |
| 1.6.2 | 39 / 33 | |
| 1.6.0 | 39 / 33 | |
| 1.5.1 | 39 / 33 | |
| 1.5.0 | 39 / 33 | |
| 1.4.0 | 39 / 33 | |
| 1.3.0 | 39 / 33 | |
| 1.2.0 | 39 / 33 | |
| 1.1.0 | 39 / 33 | |
| 1.0.1 | 39 / 30 | |
| 1.0.0 | 29 / 29 |
v1.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.30.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.30.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.29.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.28.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.