@finos/legend-art
Legend shared visual components and component utilities
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:react-reflex | AI (dependencies): react-reflex is a standard React layout component; no malware indicators. | ai | |
| dependencies | unvetted-dep:@fontsource/ubuntu-mono | AI (dependencies): Fontsource packages are well-known font distribution libraries; no risk. | ai | |
| dependencies | unvetted-dep:@fontsource/roboto-serif | AI (dependencies): Fontsource packages are well-known font distribution libraries; no risk. | ai | |
| phantom-deps | phantom-dep:@fontsource/roboto | AI (phantom-deps): Font packages are CSS-only side-effect imports; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:@fontsource/raleway | AI (phantom-deps): Font packages are CSS-only side-effect imports; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:@types/react-window | AI (phantom-deps): Type-only package; stable false positive for this UI library. | ai | |
| phantom-deps | phantom-dep:@fontsource/roboto-mono | AI (phantom-deps): Font packages are CSS-only side-effect imports. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): UI component library; react-dom is a peer/framework dep loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@fontsource/roboto-serif | AI (phantom-deps): Font packages are CSS-only side-effect imports. | ai | |
| phantom-deps | phantom-dep:@fontsource/jetbrains-mono | AI (phantom-deps): Font packages are CSS-only side-effect imports. | ai | |
| phantom-deps | phantom-dep:@fontsource/roboto-condensed | AI (phantom-deps): Font packages are CSS-only side-effect imports. | ai | |
| phantom-deps | phantom-dep:@fontsource/ubuntu-mono | AI (phantom-deps): Font packages are CSS-only side-effect imports. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type-only package loaded by convention in TS projects; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@emotion/styled | AI (phantom-deps): MUI/emotion styling dep referenced in config; expected for a UI component library. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 7.1.152 | 35 / 10 | |
| 7.1.151 | 35 / 10 | |
| 7.1.150 | 35 / 10 | |
| 7.1.149 | 35 / 10 | |
| 7.1.148 | 35 / 10 | |
| 7.1.147 | 35 / 10 | |
| 7.1.146 | 35 / 10 | |
| 7.1.129 | 35 / 10 | |
| 7.1.128 | 35 / 10 | |
| 7.1.127 | 35 / 10 | |
| 7.1.126 | 35 / 10 | |
| 7.1.125 | 35 / 10 | |
| 7.1.124 | 35 / 10 | |
| 7.1.123 | 35 / 10 | |
| 7.1.122 | 35 / 10 | |
| 7.1.121 | 35 / 10 | |
| 7.1.120 | 35 / 10 | |
| 7.1.119 | 35 / 10 | |
| 7.1.118 | 35 / 10 | |
| 7.1.117 | 35 / 10 | |
| 7.1.116 | 35 / 10 | |
| 7.1.115 | 35 / 10 | |
| 7.1.114 | 35 / 10 | |
| 7.1.113 | 35 / 10 | |
| 7.1.112 | 35 / 10 | |
| 7.1.111 | 35 / 10 | |
| 7.1.110 | 35 / 10 | |
| 7.1.109 | 35 / 10 | |
| 7.1.108 | 35 / 10 | |
| 7.1.107 | 35 / 10 | |
| 7.1.106 | 35 / 10 | |
| 7.1.105 | 35 / 10 | |
| 7.1.104 | 35 / 10 | |
| 7.1.103 | 35 / 10 | |
| 7.1.102 | 35 / 10 | |
| 7.1.101 | 35 / 10 | |
| 7.1.100 | 35 / 10 | |
| 7.1.99 | 35 / 10 | |
| 7.1.98 | 35 / 10 | |
| 7.1.97 | 35 / 10 | |
| 7.1.96 | 35 / 10 | |
| 7.1.95 | 35 / 10 | |
| 7.1.94 | 35 / 10 |
v7.1.152
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.151
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.150
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.149
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.148
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.146
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.129
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.128
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.127
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.126
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.125
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.124
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.123
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.122
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.121
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.120
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.119
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.118
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.117
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.116
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.115
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.114
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.113
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.112
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.111
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.110
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.109
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.107
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.103
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.102
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.100
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.99
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.98
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.97
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.96
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.95
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.94
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.