@esri/solutions-components
Web Components for Esri's Solutions Applications
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/cdn/2333JKXT.js | AI (source-diff): Esri-copyrighted minified CDN bundle; standard build artifact for this ArcGIS components package. | ai | |
| source-diff | obfuscated-file:dist/cdn/2XLDIKUR.js | AI (source-diff): Esri-copyrighted minified CDN bundle; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/cdn/2SD4IYX3.js | AI (source-diff): Esri-copyrighted minified CDN bundle; standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/cdn/6SETGLTS.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/6C4EHCSR.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/6OSOUHQD.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump (1.x to 5.0) with full ArcGIS SDK bundle; large file count expected. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): exifr is a well-known EXIF parsing library; addition is benign for a GIS components package. | ai | |
| source-diff | obfuscated-file:dist/cdn/5SJCOGIP.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/64IG3VBM.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/2GLDLUFW.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/2IHQU2FX.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/2KD4GOO2.js | AI (source-diff): Esri ArcGIS SDK minified i18n strings with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/36I27Q5R.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/3ABQO2AZ.js | AI (source-diff): Esri ArcGIS SDK minified i18n strings with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/3JKE3JHG.js | AI (source-diff): Esri ArcGIS SDK minified i18n strings with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/46DQNAMV.js | AI (source-diff): Esri ArcGIS SDK minified Lit framework code with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/4SZGXI37.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/57PXC3TO.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/5NB56NVE.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cdn/5SDYG5ZM.js | AI (source-diff): Esri ArcGIS SDK minified build output with copyright header; not obfuscation. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README links are legitimate documentation references for an Esri web components library; missing keywords is a minor metadata issue, not a security risk. | ai | |
| dependencies | unvetted-dep:exifr | AI (dependencies): exifr is a well-known EXIF metadata parsing library; legitimate dependency for image-handling components. | ai | |
| dependencies | unvetted-dep:@esri/solution-common | AI (dependencies): Official Esri package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@arcgis/app-components | AI (dependencies): Official Esri/ArcGIS package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@esri/arcgis-rest-types | AI (dependencies): Official Esri ArcGIS REST API types package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@esri/solution-deployer | AI (dependencies): Official Esri package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@arcgis/components-utils | AI (dependencies): Official Esri/ArcGIS package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@arcgis/common-components | AI (dependencies): Official Esri/ArcGIS package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@arcgis/analysis-components | AI (dependencies): Official Esri/ArcGIS package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@esri/arcgis-html-sanitizer | AI (dependencies): Official Esri HTML sanitizer package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:@arcgis/analysis-shared-utils | AI (dependencies): Official Esri/ArcGIS package; expected dependency for this Esri solutions component library. | ai | |
| phantom-deps | phantom-dep:@emotion/css | AI (phantom-deps): Referenced in config files only; common pattern for build-time configuration in component libraries, not a security concern. | ai | |
| phantom-deps | phantom-dep:@arcgis/app-components | AI (phantom-deps): Referenced in config files only; Esri package used in build configuration, not a security concern. | ai | |
| phantom-deps | phantom-dep:@arcgis/components-utils | AI (phantom-deps): Referenced in config files only; Esri package used in build configuration, not a security concern. | ai | |
| phantom-deps | phantom-dep:@arcgis/common-components | AI (phantom-deps): Referenced in config files only; Esri package used in build configuration, not a security concern. | ai | |
| provenance | no-provenance | AI (provenance): Established Esri package with 769 versions and official GitHub repo; lack of Sigstore provenance is not a disqualifier for this well-known package. | ai | |
| dependencies | unvetted-dep:gojs | AI (dependencies): GoJS is a well-known diagramming library by Northwoods Software; legitimate dependency for solutions components. | ai | |
| dependencies | unvetted-dep:@arcgis/lumina | AI (dependencies): Official Esri/ArcGIS package; expected dependency for this Esri solutions component library. | ai | |
| dependencies | unvetted-dep:lit | AI (dependencies): lit is a well-known Google web components library; expected dependency for an ArcGIS web components package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 5.0.8 | 16 / 49 | |
| 5.0.6 | 16 / 49 | |
| 5.0.4 | 16 / 49 | |
| 5.0.3 | 16 / 49 | |
| 5.0.2 | 16 / 49 | |
| 5.0.1 | 16 / 49 | |
| 5.0.0 | 16 / 49 | |
| 1.1.5 | 15 / 50 |
v5.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.6
33 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.4
36 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.2
37 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
30 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.