@harnessio/ui
Harness Canary UI component library
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-BbIpB8kX.js | AI (source-diff): Standard Vite minified bundle for a React UI library; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-BbIpB8kX.js | AI (source-diff): Network calls and dynamic code execution are normal in a React UI component library bundle (fetch for data, dynamic imports for code splitting). | ai | |
| source-diff | obfuscated-file:dist/index-DDOiMHF8.js | AI (source-diff): Standard Vite minified bundle output; sample shows normal React/Radix UI component code. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @harnessio/ui; Levenshtein match to joi is a false positive for scoped names. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped package @harnessio/ui; Levenshtein match to yup is a false positive for scoped names. | ai | |
| phantom-deps | phantom-dep:add | AI (phantom-deps): Large UI library; many deps bundled/re-exported rather than directly imported in source. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| phantom-deps | phantom-dep:cel-js | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| phantom-deps | phantom-dep:i18next | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped package @harnessio/ui; Levenshtein match to uuid is a false positive for scoped names. | ai | |
| phantom-deps | phantom-dep:framer-motion | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| phantom-deps | phantom-dep:monaco-editor | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| phantom-deps | phantom-dep:react-i18next | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| phantom-deps | phantom-dep:@harnessio/pipeline-graph | AI (phantom-deps): Same org scope; sibling package dependency, not a phantom dep concern. | ai | |
| phantom-deps | phantom-dep:@harnessio/core-design-system | AI (phantom-deps): Same org scope; sibling package dependency, not a phantom dep concern. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Large UI library; bundled output pattern causes phantom-dep false positives. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @harnessio/ui; Levenshtein match to pg is a false positive for scoped names. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @harnessio/ui; Levenshtein match to qs is a false positive for scoped names. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 0.5.32 | 74 / 29 | |
| 0.5.31 | 74 / 29 | |
| 0.5.29 | 74 / 29 | |
| 0.5.20 | 74 / 29 | |
| 0.5.19 | 74 / 29 | |
| 0.5.18 | 74 / 29 | |
| 0.5.14 | 74 / 29 |
v0.5.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.20
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.19
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.18
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.