← Home

@egovernments/digit-ui-react-components

npm
8
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jagankumar-egovsathishp-egovswathi-egov

Keywords

digitegovdpgdigit-uireactcomponents

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): All 10 new deps are established, named libraries from known orgs; no suspicious packages. ai
maintainer-change maintainer-removed AI (maintainer-change): Organizational publisher rotation within eGov; new publisher shares same org domain and has clean track record. ai
publish-pattern dormant-publish AI (publish-pattern): Dormancy reflects org-level publishing pause, not account takeover; publisher is verified eGov org member. ai
dependencies unvetted-dep:@egovernments/digit-ui-svg-components AI (dependencies): First-party egovernments SVG components from the same publisher org. ai
dependencies unvetted-dep:@egovernments/digit-ui-components AI (dependencies): First-party egovernments package from the same publisher org. ai
dependencies unvetted-dep:json-schema-to-yup AI (dependencies): Legitimate schema-to-validation library; no known malicious history. ai
dependencies unvetted-dep:@cyntler/react-doc-viewer AI (dependencies): Well-known React document viewer component; no malicious indicators. ai
phantom-deps phantom-dep:ajv AI (phantom-deps): ajv is a declared runtime dep used via config/resolvers; phantom-dep heuristic is a false positive here. ai
phantom-deps phantom-dep:ajv-formats AI (phantom-deps): ajv-formats is a declared runtime dep; phantom-dep heuristic is a false positive here. ai
phantom-deps phantom-dep:ajv-errors AI (phantom-deps): ajv-errors is a declared runtime dep; phantom-dep heuristic is a false positive here. ai

Versions (showing 8 of 8)

Version Deps Published
1.9.3 14 / 17
1.9.2 14 / 17
1.9.0 15 / 17
1.8.24 15 / 17
1.8.23 15 / 17
1.8.22 15 / 17
1.8.21 15 / 17
1.7.40 5 / 16

v1.9.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.24

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.23

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.22

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.21

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.40

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.