@kofile/gds-react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): @radix-ui is a well-established, widely-used UI primitives library; not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:@figma/code-connect | AI (phantom-deps): Figma code-connect is a design-tooling dep; declared in dependencies but used only in config files, not a security risk. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-toast | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-table | AI (phantom-deps): Component bundle re-exports deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-avatar | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-slider | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-switch | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-toggle | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-menubar | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-tooltip | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-checkbox | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-progress | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-separator | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-radio-group | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-alert-dialog | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-toggle-group | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-dropdown-menu | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-popover | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-tabs | AI (phantom-deps): Component bundle re-exports Radix UI deps; phantom-dep false positive for this package pattern. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-select | AI (phantom-deps): Component bundle re-exports Radix UI deps; config-level references without direct imports are expected. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-accordion | AI (phantom-deps): Same bundle re-export pattern; stable false positive for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 1.4.18 | 19 / 2 | |
| 1.4.16 | 19 / 2 | |
| 1.4.14 | 19 / 2 | |
| 1.4.7 | 19 / 2 | |
| 1.4.5 | 19 / 2 | |
| 1.4.4 | 19 / 2 | |
| 1.4.1 | 20 / 2 | |
| 1.4.0 | 20 / 2 |
v1.4.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.