@excalidraw/excalidraw
1
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
dwellemaielo
Keywords
excalidrawexcalidraw-embedreactnpmnpm excalidraw
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:pica | AI (dependencies): pica is a well-known image resizing library; legitimate dependency for Excalidraw's image handling. | ai | |
| dependencies | unvetted-dep:jotai | AI (dependencies): jotai is a popular, well-maintained React state management library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:pwacompat | AI (dependencies): pwacompat is a Google-authored PWA compatibility library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:open-color | AI (dependencies): open-color is a well-known color palette library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:jotai-scope | AI (dependencies): jotai-scope is an official jotai extension; legitimate dependency. | ai | |
| dependencies | unvetted-dep:png-chunk-text | AI (dependencies): png-chunk-text is a small PNG metadata utility; legitimate dependency for Excalidraw's file format support. | ai | |
| dependencies | unvetted-dep:perfect-freehand | AI (dependencies): perfect-freehand is a well-known freehand drawing library by Steve Ruiz; core drawing dependency. | ai | |
| dependencies | unvetted-dep:browser-fs-access | AI (dependencies): browser-fs-access is a Google Chrome Labs library for File System Access API; legitimate dependency. | ai | |
| dependencies | unvetted-dep:image-blob-reduce | AI (dependencies): image-blob-reduce is a well-known image resizing utility; legitimate dependency. | ai | |
| dependencies | unvetted-dep:png-chunks-encode | AI (dependencies): png-chunks-encode is a small PNG utility; legitimate dependency for Excalidraw's file format support. | ai | |
| dependencies | unvetted-dep:fractional-indexing | AI (dependencies): fractional-indexing is a well-known ordering algorithm library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-tabs | AI (dependencies): @radix-ui is a widely-used, well-maintained UI primitives library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:@excalidraw/laser-pointer | AI (dependencies): First-party @excalidraw scoped package; legitimate internal dependency. | ai | |
| dependencies | unvetted-dep:canvas-roundrect-polyfill | AI (dependencies): canvas-roundrect-polyfill is a small canvas API polyfill; legitimate dependency. | ai | |
| dependencies | unvetted-dep:@excalidraw/random-username | AI (dependencies): First-party @excalidraw scoped package; legitimate internal dependency. | ai | |
| dependencies | unvetted-dep:@excalidraw/mermaid-to-excalidraw | AI (dependencies): First-party @excalidraw scoped package for Mermaid diagram import; legitimate internal dependency. | ai | |
| phantom-deps | phantom-dep:sass | AI (phantom-deps): sass is a build-time CSS preprocessor referenced in build config; normal for a bundled library. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): cross-env is a build tool for cross-platform env vars; normal phantom dep for build scripts. | ai | |
| phantom-deps | phantom-dep:pwacompat | AI (phantom-deps): pwacompat is referenced in config/HTML but not directly imported in JS; normal for a PWA asset. | ai | |
| phantom-deps | phantom-dep:@excalidraw/random-username | AI (phantom-deps): First-party @excalidraw package; phantom dep finding is a false positive for same-org scoped packages. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.18.1 | 31 / 20 |
v0.18.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.