@mesalvo/react-ui
The official React components built for Mesalvo' apps
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/index-1xFv3jlR.js | AI (source-diff): Standard Vite/Rollup minified bundle for a React UI library; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-1xFv3jlR.js | AI (source-diff): Network calls and dynamic code in a React UI bundle are normal (fetch for data, dynamic imports); no dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/index-Dlpj3-mZ.js | AI (source-diff): Standard Vite-minified React component library bundle; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-Dlpj3-mZ.js | AI (source-diff): Network calls and dynamic code in a UI library bundle are expected (fetch for data, lazy/dynamic imports); no dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/index-CPEzDhwP.js | AI (source-diff): Standard Vite bundle output for a React UI library; minification is expected, no actual obfuscation. | ai | |
| source-diff | net-exec-file:dist/index-CPEzDhwP.js | AI (source-diff): Network/exec pattern fires on bundled React UI code; no dropper behavior visible in sample. | ai | |
| source-diff | net-exec-file:dist/index-CbDnvoHb.js | AI (source-diff): Network calls and dynamic code in a React component bundle are expected (fetch, dynamic imports); no dropper pattern present. | ai | |
| source-diff | obfuscated-file:dist/index-CbDnvoHb.js | AI (source-diff): Standard Vite/Rollup minified bundle for a React UI library; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-1OCudQfK.js | AI (source-diff): Network calls and dynamic code in a UI component bundle are expected (fetch for API calls, dynamic imports); no dropper pattern evident. | ai | |
| source-diff | obfuscated-file:dist/index-1OCudQfK.js | AI (source-diff): Standard Vite/Rollup minified bundle for a React UI library; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-a1tACKHw.js | AI (source-diff): Network calls and dynamic code in a React component library bundle are expected (fetch APIs, dynamic imports); no dropper pattern visible in sample. | ai | |
| source-diff | obfuscated-file:dist/index-a1tACKHw.js | AI (source-diff): Standard Vite-bundled React UI library output; minified but not obfuscated, consistent across versions. | ai | |
| source-diff | net-exec-file:dist/index-B8kEMseY.js | AI (source-diff): Network calls and dynamic code in a React component bundle are normal (fetch, dynamic imports); no dropper pattern present. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large component library with many components; 131 new files consistent with normal growth. | ai | |
| source-diff | obfuscated-file:dist/index-B8kEMseY.js | AI (source-diff): Standard Vite/Rollup minified bundle for a React UI library; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-DwXc5jW1.js | AI (source-diff): Network calls and dynamic patterns are from bundled React/UI library deps, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-DwXc5jW1.js | AI (source-diff): Standard Vite-minified React component library bundle; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-CVycdjJg.js | AI (source-diff): Network/exec pattern fires on bundled React component library code; no actual dropper behavior present. | ai | |
| source-diff | obfuscated-file:dist/index-CVycdjJg.js | AI (source-diff): Standard Vite/Rollup minified bundle for a React UI library; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-2nQa2kVb.js | AI (source-diff): Network calls and dynamic patterns are part of normal React UI library bundle, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/index-2nQa2kVb.js | AI (source-diff): Standard Vite-minified React component library bundle; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/index-CdfKrjtJ.js | AI (source-diff): Network calls and dynamic code in a React UI bundle are expected (fetch for data, dynamic imports); no dropper pattern visible. | ai | |
| source-diff | obfuscated-file:dist/index-CdfKrjtJ.js | AI (source-diff): Standard Vite minified bundle for a React UI library; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:remark-gfm | AI (phantom-deps): Bundled into dist; not directly imported at source level. Consistent with this package's bundling approach. | ai | |
| source-diff | obfuscated-file:dist/index-DfBZGThT.js | AI (source-diff): Standard Vite-minified React component bundle; not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:dist/index-DfBZGThT.js | AI (source-diff): Network calls and dynamic patterns are from bundled React/UI deps (fetch for data, lazy loading); no dropper behavior evident. | ai | |
| phantom-deps | phantom-dep:@vitejs/plugin-react | AI (phantom-deps): Build tool dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:vite-plugin-css-injected-by-js | AI (phantom-deps): Build tool dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/vite | AI (phantom-deps): Build tool dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@mesalvo/ts-logic | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-icons | AI (phantom-deps): Build/config-referenced dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Build/config-referenced dep in a UI library; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@mesalvo/api-client | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:react-markdown | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:@emotion/react | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:framer-motion | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:@tiptap/react | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-text-style | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:autosuggest-highlight | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:es-toolkit | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:@tiptap/starter-kit | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:react-modal-sheet | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai | |
| phantom-deps | phantom-dep:@emotion/styled | AI (phantom-deps): Monorepo component library; phantom deps are expected for re-exported utilities. | ai |
Versions (showing 51 of 95)
| Version | Deps | Published |
|---|---|---|
| 0.0.38948 | 25 / 42 | |
| 0.0.38887 | 25 / 42 | |
| 0.0.38836 | 25 / 42 | |
| 0.0.38827 | 25 / 42 | |
| 0.0.38731 | 25 / 42 | |
| 0.0.38728 | 25 / 42 | |
| 0.0.38726 | 25 / 42 | |
| 0.0.38708 | 25 / 42 | |
| 0.0.38690 | 25 / 42 | |
| 0.0.38681 | 25 / 42 | |
| 0.0.38675 | 25 / 42 | |
| 0.0.38661 | 25 / 42 | |
| 0.0.38428 | 25 / 42 | |
| 0.0.38417 | 25 / 42 | |
| 0.0.38410 | 25 / 42 | |
| 0.0.38091 | 25 / 42 | |
| 0.0.38087 | 25 / 42 | |
| 0.0.38081 | 25 / 42 | |
| 0.0.37950 | 25 / 42 | |
| 0.0.37946 | 25 / 42 | |
| 0.0.37943 | 25 / 42 | |
| 0.0.37907 | 25 / 42 | |
| 0.0.37884 | 25 / 42 | |
| 0.0.37838 | 25 / 42 | |
| 0.0.37806 | 25 / 42 | |
| 0.0.37674 | 25 / 42 | |
| 0.0.37664 | 25 / 42 | |
| 0.0.37657 | 25 / 42 | |
| 0.0.37479 | 25 / 42 | |
| 0.0.37453 | 25 / 42 | |
| 0.0.37433 | 24 / 42 | |
| 0.0.37217 | 24 / 42 | |
| 0.0.37196 | 24 / 42 | |
| 0.0.37183 | 24 / 42 | |
| 0.0.37166 | 24 / 42 | |
| 0.0.37153 | 24 / 42 | |
| 0.0.37144 | 24 / 42 | |
| 0.0.36853 | 24 / 42 | |
| 0.0.36774 | 24 / 42 | |
| 0.0.36672 | 24 / 42 | |
| 0.0.35718 | 24 / 42 | |
| 0.0.35668 | 24 / 42 | |
| 0.0.35665 | 24 / 42 | |
| 0.0.35647 | 24 / 42 | |
| 0.0.35635 | 24 / 42 | |
| 0.0.35423 | 24 / 42 | |
| 0.0.35418 | 24 / 42 | |
| 0.0.35413 | 24 / 42 | |
| 0.0.35247 | 24 / 42 | |
| 0.0.35203 | 24 / 42 | |
| 0.0.35195 | 24 / 42 |
v0.0.38948
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38887
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38836
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38827
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38731
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38728
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38726
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38708
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38690
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38681
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38675
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38661
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38428
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38417
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38410
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38091
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38087
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38081
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37950
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37946
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37943
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37907
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37884
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37838
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37806
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37674
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37664
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37657
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37479
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37453
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37433
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37217
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37196
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37183
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37166
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37153
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37144
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.36853
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.36774
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.36672
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35668
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35665
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35647
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35635
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35423
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35413
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35247
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35203
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.35195
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.