@gradio/gallery
Gradio UI packages
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Gradio migrated to GitHub Actions CI publishing with SLSA attestation; this transition is legitimate and expected to persist. | ai | |
| phantom-deps | phantom-dep:@gradio/atoms | AI (phantom-deps): Svelte component package; same-org dep resolved at build time. | ai | |
| phantom-deps | phantom-dep:@gradio/icons | AI (phantom-deps): Svelte component package; same-org dep resolved at build time. | ai | |
| phantom-deps | phantom-dep:@gradio/image | AI (phantom-deps): Svelte component package; same-org dep resolved at build time. | ai | |
| phantom-deps | phantom-dep:@gradio/file | AI (phantom-deps): Svelte component package; same-org dep resolved at build time, not via direct JS import. | ai | |
| phantom-deps | phantom-dep:@gradio/upload | AI (phantom-deps): Svelte component package; same-org dep resolved at build time. | ai | |
| phantom-deps | phantom-dep:@gradio/statustracker | AI (phantom-deps): Svelte component package; same-org dep resolved at build time. | ai | |
| phantom-deps | phantom-dep:dequal | AI (phantom-deps): Utility dep used in Svelte templates/config, not direct JS import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@gradio/video | AI (phantom-deps): Svelte component package; same-org dep resolved at build time. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 0.17.8 | 10 / 1 | |
| 0.17.7 | 10 / 1 | |
| 0.17.6 | 10 / 1 | |
| 0.17.5 | 10 / 1 | |
| 0.17.4 | 10 / 1 | |
| 0.17.3 | 10 / 1 | |
| 0.17.2 | 10 / 1 | |
| 0.17.1 | 10 / 1 | |
| 0.17.0 | 10 / 1 | |
| 0.16.2 | 10 / 1 | |
| 0.16.1 | 10 / 1 | |
| 0.16.0 | 10 / 1 | |
| 0.15.36 | 10 / 1 | |
| 0.15.35 | 10 / 1 | |
| 0.15.34 | 10 / 1 | |
| 0.15.33 | 10 / 1 | |
| 0.15.32 | 10 / 1 | |
| 0.15.31 | 10 / 1 | |
| 0.15.30 | 10 / 1 | |
| 0.15.29 | 10 / 1 | |
| 0.15.28 | 10 / 1 | |
| 0.15.27 | 10 / 1 | |
| 0.15.26 | 10 / 1 | |
| 0.15.25 | 10 / 1 | |
| 0.15.24 | 10 / 1 | |
| 0.15.23 | 10 / 1 | |
| 0.15.22 | 10 / 1 | |
| 0.15.21 | 10 / 1 | |
| 0.15.20 | 10 / 1 | |
| 0.15.19 | 10 / 1 |
v0.17.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.34
2 findingsThis version was published by a different npm account than previous versions on 2025-09-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.