@fluentui/react-menu
Fluent UI menu component
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Fluent UI component packages document via external docs/Storybook; short README and no keywords are expected for this ecosystem, not spam indicators. | ai | |
| provenance | no-provenance | AI (provenance): Established Microsoft Fluent UI package; lack of Sigstore provenance is common and not a risk signal for this well-known publisher. | ai | |
| dependencies | unvetted-dep:@griffel/react | AI (dependencies): Griffel is Microsoft's CSS-in-JS library, part of the Fluent UI ecosystem. Unvetted status reflects pipeline gap, not real risk. | ai | |
| dependencies | unvetted-dep:@fluentui/react-aria | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-icons | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-theme | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-motion | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-portal | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/keyboard-keys | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-tabster | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-utilities | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-jsx-runtime | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-positioning | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-shared-contexts | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-context-selector | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai | |
| dependencies | unvetted-dep:@fluentui/react-motion-components-preview | AI (dependencies): First-party Fluent UI sibling package from Microsoft; unvetted status is a pipeline gap. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 9.25.0 | 15 / 0 | |
| 9.24.1 | 15 / 0 | |
| 9.24.0 | 15 / 0 | |
| 9.23.1 | 15 / 0 | |
| 9.23.0 | 15 / 0 | |
| 9.22.0 | 15 / 0 | |
| 9.21.2 | 13 / 0 | |
| 9.21.1 | 13 / 0 | |
| 9.21.0 | 13 / 0 | |
| 9.20.6 | 13 / 6 | |
| 9.20.5 | 13 / 6 | |
| 9.20.4 | 13 / 6 | |
| 9.20.3 | 13 / 6 | |
| 9.20.2 | 13 / 6 | |
| 9.20.1 | 13 / 6 | |
| 9.20.0 | 13 / 6 | |
| 9.19.6 | 13 / 6 | |
| 9.19.5 | 13 / 6 | |
| 9.19.4 | 13 / 6 | |
| 9.19.3 | 13 / 6 | |
| 9.19.2 | 13 / 6 | |
| 9.19.1 | 13 / 6 | |
| 9.19.0 | 13 / 6 | |
| 9.18.0 | 13 / 6 | |
| 9.17.6 | 13 / 6 | |
| 9.17.5 | 13 / 6 | |
| 9.17.4 | 13 / 6 | |
| 9.17.3 | 13 / 6 | |
| 9.17.2 | 13 / 6 | |
| 9.17.1 | 13 / 6 | |
| 9.17.0 | 13 / 6 | |
| 9.16.9 | 13 / 6 | |
| 9.16.8 | 13 / 6 | |
| 9.16.7 | 13 / 6 |
v9.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.24.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.21.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.20.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.20.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.20.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.20.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.20.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.19.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.19.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.19.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.19.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.19.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.16.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.16.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.16.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.