@layers-app/editor
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:npm | AI (phantom-deps): npm declared as runtime dep; used in build/dev scripts and config. | ai | |
| phantom-deps | phantom-dep:@layers-app/shared | AI (phantom-deps): Same-org scoped package; used dynamically in shared utilities. | ai | |
| phantom-deps | phantom-dep:swagger-ui-react | AI (phantom-deps): UI component; used dynamically in editor features. | ai | |
| phantom-deps | phantom-dep:lexical | AI (phantom-deps): Editor framework; used via dynamic imports in component tree. | ai | |
| phantom-deps | phantom-dep:install | AI (phantom-deps): Utility package; referenced in build/dev workflow. | ai | |
| phantom-deps | phantom-dep:@lexical/react | AI (phantom-deps): Declared dependency; used via re-exports in Lexical ecosystem. | ai | |
| phantom-deps | phantom-dep:yjs | AI (phantom-deps): Declared dependency; used via re-exports in Lexical ecosystem. | ai | |
| phantom-deps | phantom-dep:@lexical/file | AI (phantom-deps): Declared dependency; used via re-exports in Lexical ecosystem. | ai | |
| phantom-deps | phantom-dep:@lexical/markdown | AI (phantom-deps): Declared dependency; used via re-exports in Lexical ecosystem. | ai | |
| phantom-deps | phantom-dep:@layers-app/editor-video | AI (phantom-deps): Same-org scoped dependency; used via re-exports or plugin loader. | ai | |
| phantom-deps | phantom-dep:react-selecto | AI (phantom-deps): Same pattern — peer dep declared in dependencies; not a true phantom. | ai | |
| phantom-deps | phantom-dep:@excalidraw/excalidraw | AI (phantom-deps): Peer dep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Peer dep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@floating-ui/react | AI (phantom-deps): Peer dep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:y-websocket | AI (phantom-deps): Declared as both runtime dep and peer dep; phantom-dep heuristic fires on peer deps that aren't directly imported. | ai | |
| phantom-deps | phantom-dep:@lexical/headless | AI (phantom-deps): Peer dep pattern; stable false positive for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 1.0.3 | 12 / 1 | |
| 0.7.73 | 12 / 66 | |
| 0.7.72 | 12 / 55 | |
| 0.7.71 | 12 / 66 | |
| 0.7.70 | 12 / 66 | |
| 0.7.69 | 12 / 55 | |
| 0.7.18 | 12 / 54 | |
| 0.5.1 | 14 / 53 |
v1.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.73
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.72
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.71
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.70
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.69
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.