← Home

@grafana/plugin-ui

npm Repository Homepage
3
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

gf_joshhuntgrafanabot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/esm/node_modules/chance/chance.js AI (source-diff): chance.js 1.1.7 bundled by rollup; readable commented source, not obfuscated. Stable pattern for this package. ai
phantom-deps phantom-dep:react-dom AI (phantom-deps): react-dom is a peer/dev dep used in test utils; phantom-dep false positive for this package. ai
phantom-deps phantom-dep:@types/prismjs AI (phantom-deps): @types/prismjs is a type-only package; stable false positive for this package. ai

Versions (showing 3 of 3)

Version Deps Published
0.14.0 18 / 54
0.13.1 13 / 59
0.13.0 13 / 59

v0.14.0

2 findings
HIGH New obfuscated file: dist/esm/node_modules/chance/chance.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.