@gympass/yoga — Greenflagged

Gympass component library

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

tckguilhermecardoso-gympasslm2almeidarafaelcoletagympassgympass_josie_botnypacheconaabrazheyvitothalescostarollo-wellhub

Keywords

Gympasscomponentsstyled-componentsreactdesign-system

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:react-google-font-loader	AI (dependencies): Established utility dep used consistently across versions of this design system package.	ai	2026/05/18
dependencies	unvetted-dep:@gympass/yoga-common	AI (dependencies): Same-org monorepo sub-package; stable pattern across all versions of this package.	ai	2026/05/18
dependencies	unvetted-dep:@gympass/yoga-system	AI (dependencies): Same-org monorepo sub-package; stable pattern across all versions of this package.	ai	2026/05/18
dependencies	unvetted-dep:@gympass/yoga-tokens	AI (dependencies): Same-org monorepo sub-package; stable pattern across all versions of this package.	ai	2026/05/18
dependencies	unvetted-dep:@gympass/yoga-helpers	AI (dependencies): Same-org monorepo sub-package; stable pattern across all versions of this package.	ai	2026/05/18
dependencies	unvetted-dep:@gympass/yoga-illustrations	AI (dependencies): Same-org monorepo sub-package; stable pattern across all versions of this package.	ai	2026/05/18
source-diff	encoded-string-file:cjs/Input/web/data-images.js	AI (source-diff): Encoded strings are SVG icons and a flags sprite PNG via encodeURI(); standard pattern for this UI component library.	ai	2026/05/18
source-diff	encoded-string-file:esm/Input/web/data-images.js	AI (source-diff): Same as CJS counterpart — SVG/PNG assets encoded for inline use; not a malicious payload.	ai	2026/05/18
phantom-deps	phantom-dep:@gympass/yoga-illustrations	AI (phantom-deps): Same-org scoped package; phantom-dep heuristic unreliable for monorepo re-exports.	ai	2026/05/05
phantom-deps	phantom-dep:date-fns	AI (phantom-deps): date-fns is a declared runtime dep; may be used indirectly via re-exports or config files in this monorepo package.	ai	2026/05/05
typosquat	typosquat.levenshtein:koa	AI (typosquat): Scoped package @gympass/yoga is a well-known design system; Levenshtein match to 'koa' is a clear false positive.	ai	2026/05/05

Versions (showing 3 of 3)

Version	Deps	Published
7.144.0	17 / 6	2026-05-15
7.143.5	17 / 6	2026-05-11
7.143.3	17 / 6	2026-04-30

v7.144.0

3 findings

HIGH Long encoded string in modified file: cjs/Input/web/data-images.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: esm/Input/web/data-images.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.143.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.143.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.