@eui/deps-base-next — Greenflagged

eUI base default dependencies

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ec.europa.euirambou

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@eui/cli	AI (phantom-deps): Meta-package declaring deps for downstream consumers; no direct imports expected.	ai	2026/05/12
phantom-deps	phantom-dep:@eui/ecl	AI (phantom-deps): Meta-package declaring deps for downstream consumers; no direct imports expected.	ai	2026/05/12
phantom-deps	phantom-dep:@eui/base	AI (phantom-deps): Meta-package declaring deps for downstream consumers; no direct imports expected.	ai	2026/05/12
phantom-deps	phantom-dep:@eui/core	AI (phantom-deps): Meta-package declaring deps for downstream consumers; no direct imports expected.	ai	2026/05/12
phantom-deps	phantom-dep:@eui/styles	AI (phantom-deps): Meta-package declaring deps for downstream consumers; no direct imports expected.	ai	2026/05/12
phantom-deps	phantom-dep:@eui/components	AI (phantom-deps): Meta-package declaring deps for downstream consumers; no direct imports expected.	ai	2026/05/12
dependencies	unvetted-dep:quill	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:xhr-mock	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:karma-cli	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:@eui/tools	AI (dependencies): Same org scope; dependency manifest package.	ai	2026/05/12
dependencies	unvetted-dep:handlebars	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:classlist.js	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:@types/pikaday	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:jasmine-marbles	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:@types/jasminewd2	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:@compodoc/compodoc	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:karma-remap-coverage	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:jasmine-spec-reporter	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:@compodoc/ngd-transformer	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
dependencies	unvetted-dep:karma-coverage-istanbul-reporter	AI (dependencies): Dependency manifest package; all deps are intentionally declared for downstream consumers.	ai	2026/05/12
provenance	no-provenance	AI (provenance): Established @eui org package with 597 versions; no provenance is consistent with all prior releases.	ai	2026/05/12

Versions (showing 20 of 20)

Version	Deps	Published
21.2.6	6 / 0	2026-06-03
21.2.5	6 / 0	2026-05-29
21.2.4	6 / 0	2026-04-27
21.2.3	6 / 0	2026-04-20
21.2.2	6 / 0	2026-04-01
21.2.1	6 / 0	2026-03-20
21.2.0	6 / 0	2026-03-13
21.1.1	6 / 0	2026-03-04
21.1.0	6 / 0	2026-03-02
21.0.4	6 / 0	2026-02-06
21.0.3	6 / 0	2026-01-21
21.0.2	6 / 0	2025-12-18
21.0.1	6 / 0	2025-12-11
19.3.15	91 / 0	2026-05-11
19.3.14	91 / 0	2026-04-01
19.3.12	91 / 0	2026-03-02
19.3.11	91 / 0	2026-01-14
19.3.10	91 / 0	2025-12-09
19.3.9	91 / 0	2025-11-30
19.3.8	91 / 0	2025-11-13

v21.2.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.2.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.2.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v21.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v21.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.3.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.3.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.3.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.3.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.3.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.3.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.3.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.