@itcase/storybook-config
Storybook configuration package
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@etchteam/storybook-addon-status | AI (phantom-deps): Storybook addon preset pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@std/path | AI (phantom-deps): Config-aggregator pattern; deps declared for consumers, not directly imported by this package. | ai | |
| source-diff | obfuscated-file:dist/components/Notification-qLYjGbKN.js | AI (source-diff): Same pattern — Rollup ESM bundle of React components; minified but not obfuscated or malicious. | ai | |
| source-diff | obfuscated-file:dist/Notification-Cqx2_tCE.js | AI (source-diff): Standard Rollup minified bundle of React+lodash components; long lines are minified production output, not obfuscation. | ai | |
| phantom-deps | phantom-dep:react-native-svg | AI (phantom-deps): Platform-specific peer dep for react-native consumers; not directly imported. | ai | |
| phantom-deps | phantom-dep:react-native-web | AI (phantom-deps): Platform-specific peer dep; loaded by convention. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Build tooling peer dep in a storybook-config package; loaded by convention. | ai | |
| source-diff | obfuscated-file:dist/Notification-Cf0dDVtz.js | AI (source-diff): Standard Rollup bundle with readable imports; long lines are minified React internals, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Notification-DUFL7HZn.js | AI (source-diff): CJS counterpart of the same Rollup bundle; same reasoning applies. | ai | |
| phantom-deps | phantom-dep:@storybook/react | AI (phantom-deps): Storybook config package; storybook deps are peer/optional deps loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:vite | AI (phantom-deps): Config wrapper package; storybook deps are intentionally re-exported for consumers. | ai | |
| phantom-deps | phantom-dep:react-docgen-typescript-plugin | AI (phantom-deps): Config wrapper package; storybook deps are intentionally re-exported for consumers. | ai | |
| phantom-deps | phantom-dep:react-docgen | AI (phantom-deps): Config wrapper package; storybook deps are intentionally re-exported for consumers. | ai | |
| phantom-deps | phantom-dep:@storybook/addon-styling-webpack | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:vitest | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/addon-webpack5-compiler-swc | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@itcase/config | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/nextjs | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:msw-storybook-addon | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@vitejs/plugin-react | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/addon-docs | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/react-vite | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:http-proxy-middleware | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/addon-links | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/addon-themes | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/addon-vitest | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/addon-designs | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@storybook/react-webpack5 | AI (phantom-deps): Config package; dependencies referenced in config files, not direct imports. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 1.2.66 | 49 / 45 | |
| 1.2.63 | 49 / 45 | |
| 1.2.62 | 49 / 45 | |
| 1.2.60 | 49 / 45 | |
| 1.2.52 | 49 / 45 | |
| 1.2.35 | 22 / 28 | |
| 1.2.34 | 22 / 28 | |
| 1.2.33 | 22 / 28 | |
| 1.2.32 | 22 / 28 | |
| 1.2.31 | 22 / 28 | |
| 1.2.30 | 22 / 28 | |
| 1.2.29 | 22 / 28 | |
| 1.2.28 | 21 / 28 | |
| 1.2.27 | 21 / 28 | |
| 1.2.26 | 21 / 28 | |
| 1.2.25 | 21 / 28 | |
| 1.2.24 | 21 / 28 | |
| 1.2.23 | 20 / 28 | |
| 1.2.22 | 19 / 29 | |
| 1.2.14 | 22 / 28 | |
| 1.1.57 | 19 / 28 | |
| 1.1.56 | 19 / 28 | |
| 1.1.49 | 17 / 28 | |
| 1.1.48 | 18 / 28 |
v1.2.66
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.63
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.62
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.60
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.57
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.56
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.49
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.48
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.