@m4l/components — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

made4labs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @m4l/base is a first-party same-org dep; addition is consistent with existing @m4l/* deps in this package.	ai	2026/06/05
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get used only to read a __version string property; not obfuscation, stable pattern for this package.	ai	2026/05/31
npm-metadata	no-description	AI (npm-metadata): Stable pattern across all versions of this internal package; not a malice signal.	ai	2026/05/22
dependencies	unvetted-dep:react-data-grid	AI (dependencies): react-data-grid beta pinned at a specific version; consistent usage pattern for this package.	ai	2026/05/22
phantom-deps	phantom-dep:@mui/lab	AI (phantom-deps): MUI lab is a peer dep; stable false positive for this package.	ai	2026/05/22
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): react-dom is a standard peer dep for React component libraries.	ai	2026/05/22
phantom-deps	phantom-dep:jwt-decode	AI (phantom-deps): Declared dep for consumers; stable false positive for this package.	ai	2026/05/22
phantom-deps	phantom-dep:atmosphere.js	AI (phantom-deps): Declared dep for consumers; stable false positive for this package.	ai	2026/05/22
phantom-deps	phantom-dep:react-leaflet	AI (phantom-deps): Peer dep for map components; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:react-chartjs-2	AI (phantom-deps): Peer dep for chart components; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:@googlemaps/js-api-loader	AI (phantom-deps): Peer dep for map components; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:leaflet-polylinedecorator	AI (phantom-deps): Peer dep for map components; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:storybook-multilevel-sort	AI (phantom-deps): Dev/storybook dep; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:react-intersection-observer	AI (phantom-deps): Declared dep for consumers; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:react-virtualized-auto-sizer	AI (phantom-deps): Declared dep for consumers; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:@geoman-io/leaflet-geoman-free	AI (phantom-deps): Peer dep for map components; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:leaflet.markercluster	AI (phantom-deps): Peer dep for map components; stable false positive.	ai	2026/05/22
phantom-deps	phantom-dep:qs	AI (phantom-deps): UI component library legitimately declares peer/optional deps not directly imported in every file.	ai	2026/05/22
phantom-deps	phantom-dep:install	AI (phantom-deps): Same pattern — declared dep for consumers, not a direct import in library source.	ai	2026/05/22
phantom-deps	phantom-dep:leaflet	AI (phantom-deps): Leaflet is a peer dep for map components; stable false positive for this package.	ai	2026/05/22
bogus-package	bogus-package	AI (bogus-package): Internal scoped UI library (@m4l/components); missing metadata is consistent across its 1020 versions, not a spam indicator.	ai	2026/05/21