@grafana/ui — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

gf_joshhuntgrafanabot

Keywords

grafanareactreact-componenttypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/esm/index.d.mts	AI (source-diff): TypeScript declaration file with long import lines; standard build artifact for large UI library, not obfuscation.	ai	2026/06/06
source-diff	obfuscated-file:dist/cjs/index.d.cts	AI (source-diff): TypeScript declaration file with long import lines; standard build artifact for large UI library, not obfuscation.	ai	2026/06/06
source-diff	net-exec-file:dist/cjs/unstable-Dnwln1QB.js	AI (source-diff): Large CJS bundle for @grafana/ui unstable entrypoint; imports are all legitimate Grafana/React ecosystem deps, no actual dropper behavior.	ai	2026/06/05
source-diff	large-new-source-files	AI (source-diff): Large UI library regularly adds source files across releases; not indicative of injected code.	ai	2026/06/05
source-diff	net-exec-file:dist/cjs/unstable-NfHmxgim.js	AI (source-diff): File is a standard Rollup CJS bundle of Grafana UI deps; no actual network calls or dynamic exec in the sample.	ai	2026/06/04
dependencies	unvetted-dep:@grafana/react-data-grid	AI (dependencies): Grafana-org scoped fork of react-data-grid; consistent with their internal fork pattern across the @grafana/* namespace.	ai	2026/06/03
publish-pattern	new-deps-added	AI (publish-pattern): Replacement of react-data-grid with @grafana/react-data-grid is a controlled org-internal fork swap, not a supply-chain risk.	ai	2026/06/03
dependencies	unvetted-dep:uwrap	AI (dependencies): Small utility dep added to established Grafana UI package with SLSA provenance; no malicious indicators.	ai	2026/05/14
dependencies	unvetted-dep:@grafana/i18n	AI (dependencies): First-party Grafana monorepo sibling package; always co-released.	ai	2026/05/13
dependencies	unvetted-dep:react-router-dom-v5-compat	AI (dependencies): Official React Router v5 compat shim from Remix/React Router team; well-known package.	ai	2026/05/13
dependencies	unvetted-dep:@grafana/faro-web-sdk	AI (dependencies): Official Grafana Faro observability SDK; stable Grafana-maintained package.	ai	2026/05/13
dependencies	unvetted-dep:react-data-grid	AI (dependencies): SHA-pinned fork under grafana org; commit-pinned for supply chain integrity.	ai	2026/05/13
dependencies	unvetted-dep:@grafana/data	AI (dependencies): First-party Grafana monorepo sibling package; always co-released.	ai	2026/05/13
phantom-deps	phantom-dep:react-i18next	AI (phantom-deps): Used via i18n abstraction layer; stable false positive.	ai	2026/05/03
phantom-deps	phantom-dep:react-router-dom	AI (phantom-deps): Router used via compat layer; stable false positive.	ai	2026/05/03
typosquat	typosquat.levenshtein:uuid	AI (typosquat): Scoped @grafana/ui package; Levenshtein match to short names is a false positive.	ai	2026/05/03
phantom-deps	phantom-dep:@types/react-table	AI (phantom-deps): Type-only package; framework-scoped, stable false positive.	ai	2026/05/03
phantom-deps	phantom-dep:i18next-browser-languagedetector	AI (phantom-deps): i18n plugin loaded by convention; stable false positive.	ai	2026/05/03
phantom-deps	phantom-dep:@react-aria/utils	AI (phantom-deps): Used transitively via other @react-aria packages; stable false positive.	ai	2026/05/03
typosquat	typosquat.levenshtein:pg	AI (typosquat): Scoped @grafana/ui package; Levenshtein match to short names is a false positive.	ai	2026/05/03
typosquat	typosquat.levenshtein:qs	AI (typosquat): Scoped @grafana/ui package; Levenshtein match to short names is a false positive.	ai	2026/05/03
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped @grafana/ui package; Levenshtein match to short names is a false positive.	ai	2026/05/03
typosquat	typosquat.levenshtein:yup	AI (typosquat): Scoped @grafana/ui package; Levenshtein match to short names is a false positive.	ai	2026/05/03
npm-metadata	url-dep:react-data-grid	AI (npm-metadata): Known Grafana fork of react-data-grid pinned by commit hash; intentional upstream customization pattern.	ai	2026/05/03
phantom-deps	phantom-dep:d3	AI (phantom-deps): d3 is a declared runtime dep used via config/type references; stable false positive for this package.	ai	2026/05/03
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a known implicit TypeScript runtime dependency.	ai	2026/05/03
phantom-deps	phantom-dep:jquery	AI (phantom-deps): jquery declared as dep for plugin ecosystem compatibility; stable false positive.	ai	2026/05/03
phantom-deps	phantom-dep:moment	AI (phantom-deps): moment declared as dep for date handling; stable false positive.	ai	2026/05/03
phantom-deps	phantom-dep:i18next	AI (phantom-deps): i18next used via @grafana/i18n abstraction; stable false positive.	ai	2026/05/03
phantom-deps	phantom-dep:@types/jquery	AI (phantom-deps): Type-only package; framework-scoped, stable false positive.	ai	2026/05/03
phantom-deps	phantom-dep:@types/lodash	AI (phantom-deps): Type-only package; framework-scoped, stable false positive.	ai	2026/05/03

Versions (showing 8 of 8)

Version	Deps	Published
13.0.2	69 / 72	2026-06-02
13.0.1	69 / 72	2026-04-30
13.0.0	69 / 72	2026-04-30
12.4.4	69 / 70	2026-06-02
12.4.3	69 / 70	2026-05-06
12.3.7	69 / 70	2026-06-03
12.2.9	69 / 70	2026-06-03
11.6.15	66 / 69	2026-06-03

v13.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.4.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.4.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.3.7

2 findings

HIGH New file with network + code execution: dist/cjs/unstable-NfHmxgim.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.2.9

2 findings

HIGH New file with network + code execution: dist/cjs/unstable-Dnwln1QB.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.6.15

3 findings

HIGH New obfuscated file: dist/cjs/index.d.cts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/esm/index.d.mts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.