@leaflink/stash-vue
LeafLink's first-party Vue components.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:sortablejs | AI (phantom-deps): Consistent with package pattern of config-referenced deps; not a malware signal. | ai | |
| phantom-deps | phantom-dep:@vueuse/integrations | AI (phantom-deps): Consistent with package pattern of config-referenced deps; not a malware signal. | ai | |
| dependencies | unvetted-dep:vue-inline-svg | AI (dependencies): Known Vue SVG component; expected dep for a UI library. | ai | |
| dependencies | unvetted-dep:vue3-touch-events | AI (dependencies): Known Vue 3 touch events library; expected for a UI component package. | ai | |
| dependencies | unvetted-dep:vue-currency-input | AI (dependencies): Known Vue currency input component; expected dep for a UI library. | ai | |
| dependencies | unvetted-dep:@leaflink/stash-utils | AI (dependencies): Same-org @leaflink monorepo package; first-party dependency. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Component library may use date-fns indirectly via config/type exports; stable false positive. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): UI library with HTML sanitization; likely used conditionally in components. | ai | |
| phantom-deps | phantom-dep:fuzzysort | AI (phantom-deps): Search/filter utility; expected in a UI component library. | ai | |
| dependencies | unvetted-dep:@leaflink/snitch | AI (dependencies): Same-org @leaflink package; first-party dependency. | ai | |
| phantom-deps | phantom-dep:sanitize-html | AI (phantom-deps): HTML sanitization; expected in a UI component library. | ai | |
| phantom-deps | phantom-dep:vue-inline-svg | AI (phantom-deps): SVG component; expected in a UI library with icon assets. | ai | |
| phantom-deps | phantom-dep:vue3-touch-events | AI (phantom-deps): Touch events; expected in a UI component library. | ai | |
| phantom-deps | phantom-dep:@leaflink/stash-theme | AI (phantom-deps): Same-org monorepo package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@googlemaps/js-api-loader | AI (phantom-deps): Maps integration; expected optional dep in a UI component library. | ai | |
| phantom-deps | phantom-dep:@leaflink/stash-constants | AI (phantom-deps): Same-org monorepo package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:date-fns-tz | AI (phantom-deps): Timezone-aware date handling; expected companion to date-fns in a UI library. | ai | |
| dependencies | unvetted-dep:vue3-carousel | AI (dependencies): Known Vue 3 carousel library; stable third-party dep for a UI component package. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 59.0.6 | 21 / 28 | |
| 59.0.5 | 21 / 28 | |
| 59.0.4 | 21 / 31 | |
| 59.0.3 | 21 / 31 | |
| 59.0.2 | 21 / 31 | |
| 59.0.1 | 21 / 31 | |
| 59.0.0 | 21 / 31 | |
| 58.2.5 | 21 / 31 | |
| 58.2.4 | 21 / 31 | |
| 58.2.3 | 21 / 31 | |
| 58.2.2 | 21 / 31 | |
| 58.2.1 | 21 / 31 | |
| 58.2.0 | 21 / 31 | |
| 58.1.0 | 21 / 31 | |
| 58.0.8 | 21 / 31 | |
| 58.0.7 | 21 / 31 | |
| 58.0.6 | 21 / 31 | |
| 58.0.5 | 21 / 31 | |
| 58.0.4 | 21 / 31 | |
| 58.0.3 | 21 / 31 | |
| 58.0.1 | 19 / 31 | |
| 56.0.2 | 19 / 31 | |
| 56.0.0 | 19 / 30 | |
| 55.0.1 | 19 / 30 | |
| 53.6.0 | 19 / 30 |
v59.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v59.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v59.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v59.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v59.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v59.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v59.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v58.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v56.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v55.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v53.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.