@dynatrace/strato-components
These reusable React components are the building blocks for Dynatrace. Use them in line with Strato's design foundations and patterns to create great Dynatrace experiences. See [About Strato](https://developer.dynatrace.com/design/about-strato-design-syst
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:migrations/3.2.0/dt-app-migration.js | AI (source-diff): Explicitly declared migration factory in package.json; minified bundle is expected for this codemod. | ai | |
| source-diff | obfuscated-file:migrations/3.2.0/codeshift-migration.js | AI (source-diff): Bundled jscodeshift codemod; minified output is expected and declared in package.json dt.migrations. | ai | |
| source-diff | net-exec-file:migrations/3.2.0/codeshift-migration.js | AI (source-diff): False positive on bundled codemod; tslib/jscodeshift bundle pattern, not dropper malware. | ai | |
| dependencies | unvetted-dep:@dynatrace-sdk/segments-presets | AI (dependencies): First-party Dynatrace SDK package; consistent with this package's ecosystem and publisher identity. | ai | |
| phantom-deps | phantom-dep:@vanilla-extract/dynamic | AI (phantom-deps): Referenced in config files only; consistent with vanilla-extract build pattern for this package. | ai | |
| phantom-deps | phantom-dep:@dynatrace/devkit | AI (phantom-deps): Same org build tooling; stable false positive for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): No material changes from prior approved version; established Dynatrace package with clean publisher history. | ai | |
| phantom-deps | phantom-dep:@vanilla-extract/css | AI (phantom-deps): vanilla-extract CSS-in-JS referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:type-fest | AI (phantom-deps): Large UI component library; type-only deps referenced in config files are a stable false positive pattern. | ai | |
| phantom-deps | phantom-dep:@formatjs/icu-messageformat-parser | AI (phantom-deps): i18n parser referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@visx/brush | AI (phantom-deps): visx packages used in chart config/type files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@visx/event | AI (phantom-deps): visx packages used in chart config/type files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:d3-interpolate | AI (phantom-deps): d3 packages used in chart config/type files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/modifiers | AI (phantom-deps): dnd-kit packages referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@dnd-kit/utilities | AI (phantom-deps): dnd-kit packages referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:identity-obj-proxy | AI (phantom-deps): Test utility referenced in config files; stable false positive for this package. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 3.6.0 | 72 / 0 | |
| 3.5.0 | 72 / 0 | |
| 3.4.1 | 72 / 0 | |
| 3.4.0 | 72 / 0 | |
| 3.3.3 | 72 / 0 | |
| 3.3.2 | 72 / 0 | |
| 3.3.1 | 72 / 0 | |
| 3.3.0 | 72 / 0 | |
| 3.2.1 | 72 / 0 | |
| 3.2.0 | 72 / 0 | |
| 3.1.3 | 72 / 0 | |
| 1.18.0 | 11 / 0 | |
| 1.17.0 | 11 / 0 | |
| 1.16.1 | 11 / 0 | |
| 1.16.0 | 11 / 0 | |
| 1.15.0 | 11 / 0 | |
| 1.14.0 | 11 / 0 | |
| 1.13.0 | 11 / 0 | |
| 1.12.0 | 11 / 0 |
v3.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.