@fluentui/react-tree — Greenflagged

Tree component for Fluent UI React

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

chrisdholtmiroslavstastnylevithomasonuifabricteamuifrnbotlayershifterjustslonemicrosoft1essopranopillow

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@griffel/react	AI (dependencies): @griffel/react is the official CSS-in-JS engine for Fluent UI, maintained by Microsoft. Legitimate dependency for all @fluentui/* packages.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-aria	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-icons	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-radio	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-theme	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-avatar	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-button	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-motion	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/keyboard-keys	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-tabster	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-checkbox	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-utilities	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-jsx-runtime	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-shared-contexts	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-context-selector	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@fluentui/react-motion-components-preview	AI (dependencies): First-party @fluentui/* package from Microsoft's Fluent UI monorepo. Legitimate dependency.	ai	2026/04/25
phantom-deps	phantom-dep:@fluentui/react-aria	AI (phantom-deps): Same org scope; common in monorepo packages where transitive usage patterns differ from direct imports. Not a risk.	ai	2026/04/25
bogus-package	bogus-package	AI (bogus-package): Large monorepo component packages often lack standalone README code blocks and keywords; not indicative of spam for established Microsoft Fluent UI packages.	ai	2026/04/25