@giphy/react-components MIT 100 versions

@giphy/react-components

npm Repository Homepage

A lightweight set of components, focused on easy-of-use and performance.

100

Versions

MIT

License

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

giphy

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from individual npm account to GitHub Actions CI/CD with SLSA provenance; legitimate for @giphy org.	ai	2026/05/31
dependencies	unvetted-dep:emotion	AI (dependencies): emotion is a well-known CSS-in-JS library with no malicious history; its use here is legitimate and stable across versions of this package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance is not yet standard practice on npm; absence is not a security concern for established publishers.	ai	2026/04/21
dependencies	unvetted-dep:styled-components	AI (dependencies): styled-components is a well-known, widely-used CSS-in-JS library. Its addition here is a legitimate migration from @emotion. No security concerns.	ai	2026/04/21
source-diff	obfuscated-file:esm/components/video/clips-branding.js	AI (source-diff): File is transpiled React/TypeScript with long JSX lines, not malicious obfuscation. Legitimate build output.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): Size increase reflects addition of 55 new source files (video/clips components); normal growth for active library.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): 31 new files reflect normal package growth; no indicators of injected/bundled malicious code.	ai	2026/04/21
source-diff	obfuscated-file:dist/components/video/attribution.js	AI (source-diff): Standard esbuild/tsup CJS bundle output with source path comments. This is the documented build tool for this package; not obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:dist/components/video/index.js	AI (source-diff): Standard esbuild/tsup CJS bundle output with source path comments. This is the documented build tool for this package; not obfuscation.	ai	2026/04/21
dependencies	unvetted-dep:@giphy/colors	AI (dependencies): Internal Giphy package; stable dependency for this component library.	ai	2026/04/21
source-diff	obfuscated-file:dist/components/video/clips-branding.js	AI (source-diff): File is compiled TypeScript output from documented tsc build process; legitimate build artifact, not malicious obfuscation.	ai	2026/04/21
source-diff	obfuscated-file:dist/esm/index.js	AI (source-diff): Minified output from tsup bundler (declared in build script); standard for React component libraries. No malicious patterns in sample.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependencies are established libraries (emotion, react-use) appropriate for component library evolution.	ai	2026/04/21
dependencies	unvetted-dep:react-use	AI (dependencies): react-use is a standard utility library; pinned version 17.4.0 is stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:@giphy/js-types	AI (dependencies): Internal Giphy dependency; stable across many versions of this package.	ai	2026/04/21
dependencies	unvetted-dep:@giphy/js-analytics	AI (dependencies): Internal Giphy dependency; stable across many versions of this package.	ai	2026/04/21
dependencies	unvetted-dep:@giphy/js-fetch-api	AI (dependencies): Internal Giphy package; appropriate for official Giphy component library.	ai	2026/04/21
dependencies	unvetted-dep:@giphy/js-brand	AI (dependencies): Internal Giphy dependency; part of the publisher's own ecosystem.	ai	2026/04/21
dependencies	unvetted-dep:@giphy/js-util	AI (dependencies): Internal Giphy dependency; stable across many versions of this package.	ai	2026/04/21
dependencies	unvetted-dep:intersection-observer	AI (dependencies): intersection-observer is a standard polyfill; pinned constraint ^0.12.2 is stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:@emotion/core	AI (dependencies): Standard React styling library with pinned version; stable dependency for this package.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): README content and keyword signals are false positives for legitimate component libraries; no actual spam or malware indicators present.	ai	2026/04/21

Versions (showing 100 of 158)

Version	Deps	Published
10.1.2	8 / 29	2026-04-23
10.1.1	8 / 29	2025-12-19
10.1.0	8 / 29	2025-07-08
10.0.1	8 / 29	2025-02-13
10.0.0	8 / 29	2025-02-06
9.8.0	8 / 34	2024-11-05
9.7.1	8 / 34	2024-11-01
9.7.0	8 / 34	2024-10-29
9.6.0	8 / 34	2024-08-05
9.5.1	8 / 34	2024-08-01
9.5.0	8 / 34	2024-05-03
9.4.1	8 / 34	2024-04-24
9.4.0	8 / 34	2024-04-22
9.3.0	8 / 34	2024-02-22
9.2.3	8 / 34	2023-12-13
9.2.2	8 / 34	2023-12-13
9.2.1	8 / 34	2023-12-11
9.2.0	8 / 34	2023-11-07
9.1.0	8 / 34	2023-10-26
9.0.1	8 / 34	2023-08-21
9.0.0	8 / 34	2023-08-16
8.1.0	9 / 33	2023-08-02
8.0.0	9 / 33	2023-07-26
7.1.1	10 / 33	2023-07-25
7.1.0	10 / 28	2023-06-27
7.0.1	10 / 28	2023-06-26
7.0.0	10 / 28	2023-06-26
6.9.4	10 / 28	2023-05-30
6.9.3	10 / 28	2023-05-16
6.9.2	10 / 28	2023-05-15
6.9.1	10 / 28	2023-05-15
6.9.0	10 / 28	2023-05-01
6.8.1	10 / 28	2023-03-28
6.8.0	10 / 28	2023-03-27
6.7.0	10 / 28	2023-03-15
6.6.0	10 / 28	2023-03-09
6.5.2	10 / 28	2023-01-18
6.5.1	10 / 28	2022-12-08
6.5.0	10 / 28	2022-12-06
6.4.0	10 / 28	2022-11-29
6.3.0	10 / 28	2022-11-28
6.2.0	10 / 28	2022-09-22
6.1.1	10 / 28	2022-08-18
6.1.0	10 / 28	2022-08-15
6.0.1	10 / 28	2022-08-09
6.0.0	10 / 28	2022-08-03
5.12.0	10 / 22	2022-07-14
5.11.1	10 / 22	2022-07-13
5.11.0	11 / 22	2022-07-06
5.10.1	11 / 22	2022-06-30
5.10.0	11 / 22	2022-06-30
5.9.4	11 / 22	2022-06-29
5.9.3	11 / 22	2022-06-29
5.9.2	11 / 22	2022-06-25
5.9.1	11 / 22	2022-06-23
5.9.0	11 / 22	2022-06-23
5.8.2	11 / 22	2022-06-06
5.8.1	11 / 22	2022-06-06
5.8.0	11 / 22	2022-05-24
5.7.0	11 / 23	2022-05-03
5.6.1	11 / 22	2022-03-02
5.6.0	11 / 22	2022-03-01
5.5.0	11 / 22	2022-02-23
5.4.0	11 / 22	2021-10-21
5.3.1	11 / 22	2021-09-10
5.3.0	11 / 22	2021-09-09
5.2.2	11 / 22	2021-09-08
5.2.1	11 / 22	2021-09-08
5.2.0	11 / 22	2021-09-07
5.1.1	11 / 22	2021-08-30
5.1.0	11 / 22	2021-08-30
5.0.1	11 / 22	2021-08-26
5.0.0	11 / 22	2021-08-25
4.0.1	11 / 22	2021-08-09
4.0.0	11 / 22	2021-08-03
3.2.4	11 / 22	2021-07-26
3.2.3	11 / 22	2021-07-19
3.2.2	11 / 22	2021-07-15
3.2.1	11 / 22	2021-07-14
3.2.0	11 / 22	2021-07-08
3.0.7	11 / 22	2021-06-15
3.0.6	11 / 22	2021-06-07
3.0.5	11 / 22	2021-06-01
3.0.4	11 / 22	2021-05-22
3.0.3	11 / 22	2021-05-21
3.0.2	11 / 22	2021-05-19
3.0.1	11 / 22	2021-05-19
3.0.0	11 / 22	2021-05-19
2.4.0	11 / 22	2021-04-14
2.3.1	11 / 22	2021-03-05
2.3.0	11 / 22	2021-03-02
2.2.2	11 / 22	2021-02-17
2.2.0	11 / 22	2021-02-16
2.1.3	11 / 22	2021-01-29
2.1.2	11 / 22	2021-01-27
2.1.1	11 / 22	2021-01-22
2.1.0	11 / 22	2021-01-05
2.0.1	11 / 22	2020-12-09
1.11.2	11 / 22	2021-01-25
1.11.1	11 / 22	2021-01-19

Showing 100 of 158 Next page →

v10.1.2

2 findings

HIGH Publisher changed: giphy → GitHub Actions (on 2026-04-23) provenance

This version was published by a different npm account than previous versions on 2026-04-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.