@hh.ru/magritte-ui — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

hhru

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps are all @hh.ru/magritte-ui-* sub-packages from the same org; consistent with normal monorepo component additions.	ai	2026/05/24
bogus-package	bogus-package	AI (bogus-package): Aggregator package in a large monorepo; missing description/repo/keywords is a known pattern for internal component bundles.	ai	2026/05/24
phantom-deps	phantom-dep:@hh.ru/magritte-fonts	AI (phantom-deps): Same-org CSS/font dep; likely re-exported or used indirectly via CSS imports not visible to static analysis.	ai	2026/05/24
phantom-deps	phantom-dep:@hh.ru/magritte-reset-css	AI (phantom-deps): Same-org CSS dep; phantom detection is a false positive for CSS-only packages.	ai	2026/05/24
phantom-deps	phantom-dep:@hh.ru/magritte-design-tokens	AI (phantom-deps): Same-org design tokens dep; likely consumed via CSS/SCSS imports not tracked by static analysis.	ai	2026/05/24
phantom-deps	phantom-dep:@hh.ru/magritte-ui-translate-guard	AI (phantom-deps): Same-org dep; phantom detection false positive for this aggregator package.	ai	2026/05/24