@imj_media/ui
Componentes UI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): Standard Vite/Rollup bundle output; sample shows readable React component code, not malicious obfuscation. | ai | |
| dependencies | unvetted-dep:@fortawesome/pro-solid-svg-icons | AI (dependencies): FontAwesome Pro is a known commercial icon set; stable dependency for this UI package. | ai | |
| dependencies | unvetted-dep:@fortawesome/pro-regular-svg-icons | AI (dependencies): FontAwesome Pro is a known commercial icon set; stable dependency for this UI package. | ai | |
| dependencies | unvetted-dep:@fortawesome/pro-duotone-svg-icons | AI (dependencies): FontAwesome Pro is a known commercial icon set; stable dependency for this UI package. | ai | |
| phantom-deps | phantom-dep:element-resize-detector | AI (phantom-deps): Resize utility likely used indirectly through component internals. | ai | |
| phantom-deps | phantom-dep:tailwind-variants | AI (phantom-deps): UI component library; config-level reference without direct import is expected. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-table | AI (phantom-deps): Table components commonly reference via config/type exports without direct import. | ai | |
| phantom-deps | phantom-dep:@types/react-syntax-highlighter | AI (phantom-deps): Type-only package; convention-loaded, not directly imported. | ai | |
| phantom-deps | phantom-dep:@fortawesome/free-brands-svg-icons | AI (phantom-deps): Icon library referenced via config; stable pattern for this UI package. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped org package; levenshtein match to pg is noise. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped org package; levenshtein match to yup is noise. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped org package; levenshtein match to joi is noise. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped org package @imj_media/ui; levenshtein match to uuid is noise. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped org package; levenshtein match to qs is noise. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 1.10.1 | 24 / 38 | |
| 1.8.2 | 24 / 38 | |
| 1.8.0 | 24 / 38 | |
| 1.6.16 | 25 / 37 | |
| 1.6.5 | 24 / 37 | |
| 1.4.0 | 24 / 37 | |
| 1.0.36 | 7 / 20 | |
| 1.0.22 | 7 / 18 | |
| 1.0.21 | 7 / 18 | |
| 1.0.20 | 7 / 18 | |
| 1.0.19 | 7 / 18 | |
| 1.0.18 | 7 / 18 | |
| 1.0.17 | 7 / 18 | |
| 1.0.16 | 7 / 18 | |
| 1.0.15 | 7 / 18 | |
| 1.0.14 | 7 / 18 |
v1.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.16
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.