← Home

@digital-realty/ix-widget

npm
7
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dlr-pi-devopsnicholasnewlandsmarcha-dlralex-sommerville

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:markdown-it AI (dependencies): markdown-it is a well-known, widely-used library; stable false positive for this package. ai
provenance no-provenance AI (provenance): Established org package with 271 versions; no provenance is consistent across all releases. ai
phantom-deps phantom-dep:react AI (phantom-deps): Peer/re-export dep in a Lit+React wrapper library; config-only reference is expected. ai
phantom-deps phantom-dep:@lit/react AI (phantom-deps): Used in React wrapper export; config-only reference is expected for this library. ai
phantom-deps phantom-dep:@material/web AI (phantom-deps): UI component dep; config-only reference consistent with web component library pattern. ai
phantom-deps phantom-dep:@digital-realty/ix-dialog AI (phantom-deps): Same-org component dep; indirect usage via composition is expected. ai
phantom-deps phantom-dep:mobx-persist-store AI (phantom-deps): State persistence dep; config-only reference expected in this library. ai
phantom-deps phantom-dep:@digital-realty/ix-list AI (phantom-deps): Same-org component dep; indirect usage via composition is expected. ai
phantom-deps phantom-dep:@adobe/lit-mobx AI (phantom-deps): State management dep; config-only reference expected in this library. ai
phantom-deps phantom-dep:@digital-realty/ix-accordion AI (phantom-deps): Same-org component dep; indirect usage via composition is expected. ai

Versions (showing 7 of 7)

Version Deps Published
2.3.2 14 / 23
2.3.1 14 / 23
2.2.31 14 / 24
2.2.15 14 / 23
2.2.12 14 / 23
2.2.5 14 / 23
2.1.59 14 / 23

v2.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.31

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.59

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.