@floating-ui/dom
Floating UI for the web
51
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
fezvrastaatomiks
Keywords
tooltippopoverdropdownmenupopuppositioning
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:zod | AI (typosquat): @floating-ui/dom is a legitimate, well-known scoped package with no resemblance to 'zod'; Levenshtein match is a false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): @floating-ui/dom is a legitimate, well-known scoped package with no resemblance to 'got'; Levenshtein match is a false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:jsdom | AI (typosquat): @floating-ui/dom is a legitimate, well-known scoped package with no resemblance to 'jsdom'; Levenshtein match is a false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @floating-ui/dom is a legitimate, well-known scoped package with no resemblance to 'joi'; Levenshtein match is a false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:koa | AI (typosquat): @floating-ui/dom is a legitimate, well-known scoped package with no resemblance to 'koa'; Levenshtein match is a false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package by long-standing trusted publisher; lack of Sigstore attestation is a best-practice gap, not a security risk for this package. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance attestation confirms legitimate CI-published release from the official floating-ui/floating-ui repository. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from atomiks to GitHub Actions as part of a legitimate CI/CD publishing workflow, confirmed by SLSA provenance attestation. This is a security improvement, not a risk. | ai |
Versions (showing 51 of 82)
| Version | Deps | Published |
|---|---|---|
| 1.8.0 | 2 / 7 | |
| 1.7.6 | 2 / 7 | |
| 1.7.5 | 2 / 7 | |
| 1.7.4 | 2 / 7 | |
| 1.7.3 | 2 / 7 | |
| 1.7.2 | 2 / 7 | |
| 1.7.1 | 2 / 7 | |
| 1.7.0 | 2 / 7 | |
| 1.6.13 | 2 / 7 | |
| 1.6.12 | 2 / 7 | |
| 1.6.11 | 2 / 7 | |
| 1.6.10 | 2 / 7 | |
| 1.6.9 | 2 / 7 | |
| 1.6.8 | 2 / 7 | |
| 1.6.7 | 2 / 7 | |
| 1.6.6 | 2 / 7 | |
| 1.6.5 | 2 / 7 | |
| 1.6.4 | 2 / 7 | |
| 1.6.3 | 2 / 7 | |
| 1.6.1 | 2 / 7 | |
| 1.5.3 | 2 / 4 | |
| 1.5.2 | 2 / 4 | |
| 1.5.1 | 2 / 4 | |
| 1.5.0 | 2 / 4 | |
| 1.4.5 | 1 / 4 | |
| 1.4.4 | 1 / 4 | |
| 1.4.3 | 1 / 4 | |
| 1.4.2 | 1 / 4 | |
| 1.4.1 | 1 / 4 | |
| 1.4.0 | 1 / 4 | |
| 1.3.0 | 1 / 4 | |
| 1.2.9 | 1 / 4 | |
| 1.2.8 | 1 / 4 | |
| 1.2.7 | 1 / 4 | |
| 1.2.6 | 1 / 4 | |
| 1.2.5 | 1 / 4 | |
| 1.2.4 | 1 / 4 | |
| 1.2.3 | 1 / 4 | |
| 1.2.2 | 1 / 4 | |
| 1.2.1 | 1 / 7 | |
| 1.2.0 | 1 / 7 | |
| 1.1.1 | 1 / 7 | |
| 1.1.0 | 1 / 7 | |
| 1.0.12 | 1 / 15 | |
| 1.0.11 | 1 / 15 | |
| 1.0.10 | 1 / 15 | |
| 1.0.9 | 1 / 15 | |
| 1.0.8 | 1 / 15 | |
| 1.0.7 | 1 / 15 | |
| 1.0.6 | 1 / 15 | |
| 1.0.5 | 1 / 15 |
v1.8.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.