@djb25/digit-ui-module-commonpt

Digit PT Light weight Module

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

djb25

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@djb25/digit-ui-react-components	AI (dependencies): Sibling scoped package from the same publisher namespace (@djb25); expected dependency for a modular UI library in this ecosystem.	ai	2026/04/27
dependencies	unvetted-dep:microbundle-crl	AI (dependencies): microbundle-crl is a build tool used only in build scripts; not a runtime risk for consumers of this package.	ai	2026/04/27
dependencies	unvetted-dep:react-query	AI (dependencies): react-query is a well-known, widely-used data-fetching library; unvetted status reflects pipeline gap, not a real risk for this package.	ai	2026/04/27
provenance	no-provenance	AI (provenance): No provenance is common (~88% of npm packages); no other indicators of supply chain compromise for this package.	ai	2026/04/26
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): react-dom is declared as a dependency and referenced in config/build files; not a security concern for this UI module package.	ai	2026/04/25
phantom-deps	phantom-dep:microbundle-crl	AI (phantom-deps): microbundle-crl is a build tool referenced in scripts/config; phantom-dep finding is expected for build tooling.	ai	2026/04/25
phantom-deps	phantom-dep:lodash.merge	AI (phantom-deps): lodash.merge declared but used via config; standard packaging pattern, no security risk.	ai	2026/04/25