@heroui/select
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): HeroUI is an active org with 177 versions; gap likely reflects a release cadence change, not account takeover. | ai | |
| phantom-deps | phantom-dep:@heroui/aria-utils | AI (phantom-deps): Sibling monorepo package; phantom-dep heuristic false positive for this org's packages. | ai | |
| provenance | no-provenance | AI (provenance): HeroUI monorepo does not publish with Sigstore provenance; stable pattern across all versions. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-virtual | AI (phantom-deps): @tanstack/react-virtual is explicitly listed in package.json dependencies; phantom-dep is a false positive here. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 2.4.33 | 19 / 0 | |
| 2.4.32 | 19 / 0 | |
| 2.4.31 | 19 / 0 | |
| 2.4.30 | 19 / 0 | |
| 2.4.29 | 19 / 0 | |
| 2.4.28 | 19 / 0 | |
| 2.4.27 | 19 / 0 | |
| 2.4.26 | 19 / 0 | |
| 2.4.25 | 19 / 0 | |
| 2.4.24 | 19 / 0 | |
| 2.4.23 | 19 / 0 | |
| 2.4.22 | 19 / 0 | |
| 2.4.21 | 19 / 0 | |
| 2.4.20 | 20 / 0 | |
| 2.4.19 | 20 / 0 | |
| 2.4.10 | 19 / 0 |
v2.4.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.