@forge/react
Forge React reconciler
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@atlaskit/forge-react-types | AI (dependencies): Atlassian-scoped dependency consistent with this Atlassian Forge React package; stable across versions. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type-only dep; loaded by convention in TS projects, not directly imported. | ai | |
| phantom-deps | phantom-dep:@forge/egress | AI (phantom-deps): Same-org Forge package; may be used transitively or conditionally. | ai | |
| phantom-deps | phantom-dep:react-test-renderer | AI (phantom-deps): Referenced in config/test setup files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@types/react-reconciler | AI (phantom-deps): Type-only dep loaded by convention in TS reconciler projects. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal Atlassian SDK; no public README/keywords expected for org-internal distribution. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 11.16.1 | 14 / 3 | |
| 11.16.0 | 14 / 3 | |
| 11.15.0 | 14 / 3 | |
| 11.14.1 | 14 / 3 | |
| 11.14.0 | 14 / 3 | |
| 11.13.1 | 14 / 3 | |
| 11.13.0 | 14 / 3 | |
| 11.12.0 | 14 / 3 | |
| 11.11.0 | 14 / 3 | |
| 11.10.0 | 14 / 3 | |
| 11.9.1 | 14 / 3 | |
| 11.9.0 | 14 / 3 | |
| 11.8.2 | 14 / 3 | |
| 11.8.1 | 14 / 3 | |
| 11.8.0 | 14 / 3 | |
| 11.7.0 | 14 / 3 | |
| 11.6.0 | 14 / 3 | |
| 11.5.0 | 14 / 3 | |
| 11.4.0 | 13 / 3 | |
| 11.3.0 | 13 / 3 | |
| 11.2.9 | 13 / 3 | |
| 11.2.8 | 13 / 3 | |
| 11.2.7 | 13 / 3 | |
| 11.2.6 | 13 / 3 | |
| 11.2.5 | 12 / 3 | |
| 11.2.4 | 12 / 3 | |
| 11.2.3 | 12 / 3 | |
| 11.2.2 | 12 / 3 | |
| 11.2.1 | 12 / 3 |
v11.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.