@hawtio/ai-plugin
Hawtio AI plugin
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@patternfly/react-table | AI (phantom-deps): MF plugin pattern; runtime peer dep. | ai | |
| phantom-deps | phantom-dep:@hawtio/react | AI (phantom-deps): Same org scope; peer dependency pattern for MF plugin, not a direct import. | ai | |
| phantom-deps | phantom-dep:@langchain/core | AI (phantom-deps): MF plugin pattern; bundled into remoteEntry.js, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:react-router-dom | AI (phantom-deps): MF plugin pattern; runtime peer dep. | ai | |
| phantom-deps | phantom-dep:@langchain/ollama | AI (phantom-deps): MF plugin pattern; runtime peer dep. | ai | |
| phantom-deps | phantom-dep:@patternfly/react-core | AI (phantom-deps): MF plugin pattern; runtime peer dep. | ai | |
| phantom-deps | phantom-dep:@langchain/google-genai | AI (phantom-deps): MF plugin pattern; runtime peer dep. | ai | |
| phantom-deps | phantom-dep:@patternfly/react-icons | AI (phantom-deps): MF plugin pattern; runtime peer dep. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Module Federation plugin; deps are peer/runtime deps consumed by host, not directly imported. | ai | |
| phantom-deps | phantom-dep:monaco-editor | AI (phantom-deps): Editor dep used via @patternfly/react-code-editor config, not direct import. | ai | |
| phantom-deps | phantom-dep:langchain | AI (phantom-deps): langchain is a transitive/orchestration dep; direct usage via @langchain/* sub-packages. | ai | |
| phantom-deps | phantom-dep:@patternfly/react-charts | AI (phantom-deps): PatternFly UI dep used via bundler/config, stable false positive for this UI plugin. | ai | |
| phantom-deps | phantom-dep:@patternfly/react-styles | AI (phantom-deps): PatternFly styles dep used via bundler/config, stable false positive for this UI plugin. | ai | |
| phantom-deps | phantom-dep:@patternfly/react-tokens | AI (phantom-deps): PatternFly tokens dep used via bundler/config, stable false positive for this UI plugin. | ai | |
| phantom-deps | phantom-dep:@patternfly/react-code-editor | AI (phantom-deps): PatternFly code editor dep used via bundler/config, stable false positive for this UI plugin. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): UI plugin; react-dom is a peer/bundler dep referenced in config, not directly imported. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 0.2.0 | 19 / 20 | |
| 0.1.6 | 18 / 20 | |
| 0.1.5 | 18 / 20 | |
| 0.1.1 | 16 / 20 | |
| 0.1.0 | 16 / 18 |
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.