@gravity-ui/app-builder
Develop and build your React client-server projects, powered by typescript and webpack
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are established Babel packages; addition aligns with React Compiler feature addition. | ai | |
| dependencies | unvetted-dep:worker-rspack-loader | AI (dependencies): Rspack ecosystem loader; expected dep for this build tool. | ai | |
| dependencies | unvetted-dep:tsconfig-to-swcconfig | AI (dependencies): SWC config utility; legitimate build tooling dep. | ai | |
| dependencies | unvetted-dep:@rsdoctor/rspack-plugin | AI (dependencies): Rsdoctor bundle analysis plugin; legitimate build tooling dep. | ai | |
| dependencies | unvetted-dep:webpack-assets-manifest | AI (dependencies): Well-known webpack plugin; stable legitimate dep. | ai | |
| dependencies | unvetted-dep:@rsdoctor/webpack-plugin | AI (dependencies): Rsdoctor bundle analysis plugin; legitimate build tooling dep. | ai | |
| dependencies | unvetted-dep:@statoscope/webpack-model | AI (dependencies): Statoscope bundle analysis; legitimate build tooling dep. | ai | |
| dependencies | unvetted-dep:@statoscope/webpack-plugin | AI (dependencies): Statoscope bundle analysis; legitimate build tooling dep. | ai | |
| dependencies | unvetted-dep:babel-plugin-inline-react-svg | AI (dependencies): Known Babel plugin for SVG inlining; legitimate dep. | ai | |
| dependencies | unvetted-dep:moment-timezone-data-webpack-plugin | AI (dependencies): Known webpack plugin for moment-timezone; legitimate dep. | ai | |
| dependencies | unvetted-dep:babel-plugin-tsconfig-paths-module-resolver | AI (dependencies): Path resolution Babel plugin; legitimate build tooling dep. | ai | |
| phantom-deps | phantom-dep:ts-node | AI (phantom-deps): ts-node is declared in deps and used via cosmiconfig-typescript-loader; phantom-dep is a false positive here. | ai | |
| dependencies | unvetted-dep:svgo | AI (dependencies): svgo is a well-known SVG optimizer; stable legitimate dep for a build tool. | ai | |
| dependencies | unvetted-dep:@okikio/sharedworker | AI (dependencies): Worker polyfill used by build tooling; no malware indicators. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): Known implicit polyfill dependency; stable false positive for build tools. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Referenced in config files for React build support; expected pattern for this package. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): Referenced in config files as optional logger formatter; stable false positive. | ai | |
| phantom-deps | phantom-dep:worker-loader | AI (phantom-deps): Referenced in config files for webpack worker support; expected for this build tool. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped package loaded by convention in Babel-based build tools. | ai | |
| phantom-deps | phantom-dep:@statoscope/stats | AI (phantom-deps): Referenced in config files for stats analysis; expected for this build toolchain. | ai | |
| phantom-deps | phantom-dep:@statoscope/webpack-model | AI (phantom-deps): Referenced in config files; expected for this build toolchain. | ai | |
| phantom-deps | phantom-dep:@statoscope/stats-extension-compressed | AI (phantom-deps): Referenced in config files; expected for this build toolchain. | ai | |
| phantom-deps | phantom-dep:svgo | AI (phantom-deps): svgo is referenced in config files as a build tool dependency, not a direct import — expected for this build toolchain. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): Known implicit runtime dependency for TypeScript projects; stable false positive. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.47.0 | 93 / 34 | |
| 0.44.0 | 90 / 33 | |
| 0.43.0 | 91 / 33 | |
| 0.42.1 | 91 / 30 | |
| 0.36.0 | 91 / 30 | |
| 0.35.0 | 91 / 30 | |
| 0.33.3 | 91 / 30 | |
| 0.30.3 | 91 / 30 | |
| 0.29.2 | 89 / 30 | |
| 0.29.1 | 89 / 30 | |
| 0.28.0 | 87 / 30 | |
| 0.27.0 | 87 / 30 |
v0.47.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gravity-ui-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.43.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.42.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.35.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.27.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.