@evergis/uilib-gl
🏆 **Before start:**
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:imask | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:bowser | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:scroll | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:find-and | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:platform | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:polished | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:cleave.js | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:deepmerge | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-imask | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-window | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tippyjs/react | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:vanilla-picker | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:regenerator-runtime | AI (phantom-deps): Known implicit runtime dependency; stable for this package. | ai | |
| phantom-deps | phantom-dep:autosuggest-highlight | AI (phantom-deps): Declared dependency; heuristic false positive for this package. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 1.0.114 | 24 / 57 | |
| 1.0.113 | 24 / 57 | |
| 1.0.112 | 24 / 52 | |
| 1.0.111 | 24 / 52 | |
| 1.0.109 | 24 / 52 | |
| 1.0.108 | 24 / 52 | |
| 1.0.107 | 24 / 52 | |
| 1.0.106 | 24 / 52 | |
| 1.0.105 | 24 / 52 | |
| 1.0.104 | 24 / 52 | |
| 1.0.103 | 24 / 52 | |
| 1.0.102 | 24 / 52 | |
| 1.0.101 | 24 / 52 | |
| 1.0.100 | 24 / 52 | |
| 1.0.99 | 24 / 52 | |
| 1.0.98 | 24 / 52 | |
| 1.0.97 | 24 / 52 | |
| 1.0.96 | 24 / 52 | |
| 1.0.95 | 24 / 52 | |
| 1.0.94 | 24 / 52 | |
| 1.0.93 | 24 / 52 | |
| 1.0.92 | 24 / 52 | |
| 1.0.91 | 24 / 52 |
v1.0.114
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.113
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.112
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.111
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.109
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alexanderbom) than the most recent previously approved version (arfeo) on 2026-05-25, but alexanderbom is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.107
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.106
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alexanderbom) than the most recent previously approved version (arfeo) on 2026-05-21, but alexanderbom is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.103
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.102
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.101
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.100
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.99
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.98
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.97
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.96
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.95
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.94
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.93
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.92
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.91
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.