@hashintel/ds-components

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

nonparibuscmorinanhashdotai

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase driven by PandaCSS token/buildinfo output; not injected payload.	ai	2026/05/20
source-diff	large-new-source-files	AI (source-diff): New files are PandaCSS codegen artifacts (tokens, buildinfo); expected for this package's CSS tooling migration.	ai	2026/05/20
dependencies	unvetted-dep:canvas	AI (dependencies): canvas is a well-known server-side rendering package; its use in a React component library is expected and benign.	ai	2026/05/20
provenance	no-provenance	AI (provenance): Established hashintel org package; lack of provenance is common and not a risk signal here.	ai	2026/05/20
phantom-deps	phantom-dep:@hashintel/ds-helpers	AI (phantom-deps): Same-org sibling package; likely re-exported rather than directly imported, stable FP.	ai	2026/05/18
phantom-deps	phantom-dep:@ark-ui/react	AI (phantom-deps): Listed as runtime dep; phantom-dep heuristic false positive for this UI library package.	ai	2026/05/18
phantom-deps	phantom-dep:canvas	AI (phantom-deps): canvas is used in browser test/Storybook context, not a direct runtime import; stable false positive for this package.	ai	2026/05/06
phantom-deps	phantom-dep:motion	AI (phantom-deps): motion is a UI animation dep likely used indirectly via component composition; stable false positive for this package.	ai	2026/05/06