@enso-ui/card
Composable Bulma card primitives for Enso UI.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:bulma | AI (dependencies): Bulma is a well-known CSS framework; stable peer dep for this UI component package. | ai | |
| dependencies | unvetted-dep:@enso-ui/dropdown-indicator | AI (dependencies): Same org scope (@enso-ui); expected sibling dependency for this component library. | ai | |
| phantom-deps | phantom-dep:vue | AI (phantom-deps): Vue is a peer dependency referenced in config; phantom-dep firing on peer deps is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:bulma | AI (phantom-deps): Bulma is a CSS framework referenced in config/build files; not directly imported in JS is expected for this package type. | ai | |
| phantom-deps | phantom-dep:@enso-ui/loader | AI (phantom-deps): Same-org component dependency; phantom-dep on same-scope packages is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:@enso-ui/dropdown-indicator | AI (phantom-deps): Same-org component dependency; phantom-dep on same-scope packages is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:@fortawesome/fontawesome-svg-core | AI (phantom-deps): Same as above — config-level usage in Vue component library. | ai | |
| phantom-deps | phantom-dep:@fortawesome/free-solid-svg-icons | AI (phantom-deps): Same as above — config-level usage in Vue component library. | ai | |
| phantom-deps | phantom-dep:@fortawesome/vue-fontawesome | AI (phantom-deps): Fontawesome deps declared for config/build use in Vue component library; not a real phantom dep. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped @enso-ui/card is a long-established Vue/Bulma UI component; Levenshtein match to 'cors' is coincidental. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 4.1.1 | 3 / 5 | |
| 4.1.0 | 3 / 5 | |
| 4.0.9 | 3 / 5 | |
| 4.0.7 | 3 / 5 | |
| 4.0.5 | 3 / 5 | |
| 4.0.4 | 3 / 4 | |
| 4.0.3 | 3 / 4 | |
| 4.0.2 | 5 / 2 | |
| 4.0.1 | 7 / 0 | |
| 4.0.0 | 7 / 0 | |
| 3.1.1 | 7 / 9 | |
| 3.1.0 | 7 / 9 |
v4.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.