← Home

@gravity-ui/navigation

npm Repository Homepage

Gravity UI Navigation components

27
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

resureamjegravity-ui-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:build/esm/index-CVOBofNk.js AI (source-diff): Standard Rollup bundle output for a React UI library; long lines are minified but not obfuscated. ai
source-diff net-exec-file:build/cjs/index-L5I99ugu.js AI (source-diff): No dropper behavior; same rationale as ESM counterpart. ai
source-diff obfuscated-file:build/cjs/index-L5I99ugu.js AI (source-diff): Standard Rollup CJS bundle; same pattern as ESM counterpart. ai
source-diff net-exec-file:build/esm/index-CVOBofNk.js AI (source-diff): No actual dropper behavior; network refs are React/DOM APIs in a UI component bundle. ai
source-diff net-exec-file:build/esm/index-Cqnwnlke.js AI (source-diff): Same false-positive pattern as CJS file; legitimate UI component bundle. ai
source-diff obfuscated-file:build/cjs/index-8E4JW4bt.js AI (source-diff): Standard Rollup minified bundle output; long lines are bundled React component code, not obfuscation. ai
source-diff net-exec-file:build/cjs/index-8E4JW4bt.js AI (source-diff): Network/exec pattern fires on React UI bundle; no actual network fetch or dynamic code execution present. ai
source-diff obfuscated-file:build/esm/index-Cqnwnlke.js AI (source-diff): Standard Rollup ESM bundle; same rationale as CJS counterpart. ai
source-diff net-exec-file:build/cjs/index-BTP6Ci-f.js AI (source-diff): False positive on bundled React component code; no actual network+exec pattern present. ai
source-diff obfuscated-file:build/cjs/index-BTP6Ci-f.js AI (source-diff): Standard Rollup minified bundle output for a React UI library; long lines are expected in bundled JS. ai
source-diff obfuscated-file:build/esm/index-D3WICHag.js AI (source-diff): Standard Rollup ESM bundle; long lines are expected in minified output. ai
source-diff net-exec-file:build/esm/index-D3WICHag.js AI (source-diff): False positive on bundled React component code; no actual network+exec pattern present. ai
phantom-deps phantom-dep:@floating-ui/react AI (phantom-deps): @floating-ui/react is a runtime dep used indirectly via bundled output; phantom-dep heuristic false positive. ai
source-diff net-exec-file:build/cjs/index-D9NSuTiN.js AI (source-diff): Network calls are React/UI component fetch patterns; no dropper behavior in sampled code. ai
source-diff obfuscated-file:build/esm/index-Bi86ts3T.js AI (source-diff): Standard Rollup minified bundle output; not obfuscated malware. ai
source-diff obfuscated-file:build/cjs/index-D9NSuTiN.js AI (source-diff): Standard Rollup minified bundle output; not obfuscated malware. ai
source-diff net-exec-file:build/esm/index-Bi86ts3T.js AI (source-diff): Network calls are React/UI component fetch patterns; no dropper behavior in sampled code. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a declared runtime dependency; phantom-dep heuristic is a false positive here. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in codemod CLI binary, not runtime code; expected pattern for this package. ai

Versions (showing 27 of 27)

Version Deps Published
5.0.0 4 / 69
4.0.17 3 / 71
4.0.16 3 / 71
4.0.15 3 / 71
4.0.14 3 / 71
4.0.13 3 / 71
4.0.12 3 / 69
4.0.11 3 / 69
4.0.10 3 / 69
4.0.9 3 / 69
4.0.8 3 / 69
4.0.7 3 / 69
4.0.6 3 / 69
4.0.5 3 / 64
4.0.4 3 / 69
4.0.3 3 / 69
4.0.2 3 / 69
4.0.1 3 / 69
4.0.0 3 / 69
3.11.1 3 / 64
3.11.0 3 / 64
3.10.2 3 / 64
3.10.1 3 / 64
3.10.0 3 / 64
3.9.0 3 / 64
3.8.0 3 / 64
3.7.5 3 / 64

v5.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.17

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.5

5 findings
HIGH New obfuscated file: build/esm/index-CVOBofNk.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/esm/index-CVOBofNk.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: build/cjs/index-L5I99ugu.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/cjs/index-L5I99ugu.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.11.1

5 findings
HIGH New obfuscated file: build/esm/index-CVOBofNk.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/esm/index-CVOBofNk.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: build/cjs/index-L5I99ugu.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/cjs/index-L5I99ugu.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.11.0

5 findings
HIGH New obfuscated file: build/cjs/index-BTP6Ci-f.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/cjs/index-BTP6Ci-f.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: build/esm/index-D3WICHag.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/esm/index-D3WICHag.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.10.2

5 findings
HIGH New obfuscated file: build/cjs/index-BTP6Ci-f.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/cjs/index-BTP6Ci-f.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: build/esm/index-D3WICHag.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/esm/index-D3WICHag.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.10.1

5 findings
HIGH New obfuscated file: build/cjs/index-8E4JW4bt.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/cjs/index-8E4JW4bt.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: build/esm/index-Cqnwnlke.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/esm/index-Cqnwnlke.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.10.0

5 findings
HIGH New obfuscated file: build/esm/index-Bi86ts3T.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/esm/index-Bi86ts3T.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: build/cjs/index-D9NSuTiN.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: build/cjs/index-D9NSuTiN.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.8.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.7.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.