@marigold/components
Components for the Marigold Design System
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@react-types/grid | AI (phantom-deps): Type-only package; referenced in config/type declarations, not direct imports. Stable pattern for @react-types/* in this package. | ai | |
| phantom-deps | phantom-dep:@react-types/button | AI (phantom-deps): Type-only package; referenced in config/type declarations, not direct imports. Stable pattern for @react-types/* in this package. | ai | |
| dependencies | unvetted-dep:@marigold/types | AI (dependencies): First-party @marigold org dependency; stable across versions of this package. | ai | |
| provenance | no-provenance | AI (provenance): Long-established package with 157 versions; provenance absence is consistent across all prior releases. | ai | |
| phantom-deps | phantom-dep:@react-types/table | AI (phantom-deps): React Aria type-only dependency; stable false positive for this design system package. | ai | |
| phantom-deps | phantom-dep:@react-stately/collections | AI (phantom-deps): React Stately dep used transitively/via types; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@react-stately/data | AI (phantom-deps): React Stately dep used transitively/via types; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@react-stately/tree | AI (phantom-deps): React Stately dep used transitively/via types; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@react-aria/selection | AI (phantom-deps): React Aria dep used transitively/via types; stable false positive for this package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 17.5.1 | 29 / 7 | |
| 17.5.0 | 28 / 7 | |
| 17.4.0 | 26 / 7 | |
| 17.3.1 | 26 / 7 | |
| 17.3.0 | 26 / 7 | |
| 17.2.1 | 26 / 7 | |
| 17.2.0 | 26 / 7 | |
| 17.1.0 | 26 / 7 | |
| 17.0.1 | 26 / 7 | |
| 17.0.0 | 26 / 7 | |
| 16.1.0 | 24 / 7 | |
| 16.0.1 | 24 / 7 | |
| 16.0.0 | 24 / 7 |
v17.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v17.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v17.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v16.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v16.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.