@ngrok/mantle
mantle is ngrok's UI library and design system.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Large file count reflects build artifact chunking for a UI library with many components; expected pattern. | ai | |
| source-diff | obfuscated-file:dist/dropdown-menu-DY4w933w.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/field.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/resolve-pre-rendered-props-BfWe69-w.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable utility code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/select-BBB_e15a.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/table-CHd39aT-.js | AI (source-diff): Standard minified ESM bundle output from tsdown build tool; readable React component code, not obfuscated. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 316 versions in registry; active package with SLSA provenance. Dormancy signal is unreliable for this package. | ai | |
| phantom-deps | phantom-dep:prismjs | AI (phantom-deps): prismjs is a legitimate declared dep used via config; phantom-dep heuristic fires on config-only references in this UI library. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-slot | AI (phantom-deps): Radix UI slot is a legitimate declared dep; phantom-dep fires on config-only references in this UI library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-hover-card | AI (dependencies): Radix UI primitive; consistent with all other @radix-ui/* deps already used by this package. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): Used in CSS/config context, not direct JS import; stable pattern for this UI library. | ai | |
| phantom-deps | phantom-dep:@uidotdev/usehooks | AI (phantom-deps): Hooks library referenced in config files; stable false positive for this UI library. | ai | |
| phantom-deps | phantom-dep:tiny-invariant | AI (phantom-deps): Referenced in config files; not a direct JS import but legitimately used by this package. | ai | |
| phantom-deps | phantom-dep:tw-animate-css | AI (phantom-deps): CSS animation utility used in config context; phantom-dep false positive for this package. | ai |
Versions (showing 51 of 57)
| Version | Deps | Published |
|---|---|---|
| 0.73.1 | 25 / 19 | |
| 0.73.0 | 25 / 19 | |
| 0.72.0 | 25 / 19 | |
| 0.67.0 | 24 / 19 | |
| 0.65.0 | 25 / 17 | |
| 0.64.3 | 25 / 17 | |
| 0.64.2 | 25 / 17 | |
| 0.64.1 | 25 / 17 | |
| 0.64.0 | 25 / 17 | |
| 0.55.5 | 23 / 18 | |
| 0.55.4 | 23 / 18 | |
| 0.55.3 | 23 / 18 | |
| 0.55.2 | 23 / 18 | |
| 0.55.1 | 23 / 18 | |
| 0.54.3 | 23 / 18 | |
| 0.54.2 | 23 / 18 | |
| 0.54.1 | 23 / 18 | |
| 0.54.0 | 23 / 18 | |
| 0.53.0 | 23 / 18 | |
| 0.52.9 | 23 / 18 | |
| 0.52.8 | 23 / 18 | |
| 0.52.7 | 23 / 18 | |
| 0.52.6 | 23 / 18 | |
| 0.52.5 | 23 / 18 | |
| 0.52.4 | 23 / 18 | |
| 0.52.3 | 23 / 18 | |
| 0.52.2 | 23 / 18 | |
| 0.52.1 | 23 / 18 | |
| 0.52.0 | 23 / 18 | |
| 0.51.3 | 23 / 18 | |
| 0.51.2 | 23 / 18 | |
| 0.51.1 | 23 / 18 | |
| 0.51.0 | 23 / 18 | |
| 0.50.4 | 23 / 18 | |
| 0.50.3 | 23 / 18 | |
| 0.50.2 | 23 / 18 | |
| 0.50.1 | 23 / 18 | |
| 0.50.0 | 23 / 19 | |
| 0.40.1 | 23 / 20 | |
| 0.40.0 | 23 / 21 | |
| 0.32.3 | 23 / 21 | |
| 0.32.2 | 23 / 21 | |
| 0.32.1 | 23 / 21 | |
| 0.32.0 | 23 / 21 | |
| 0.31.6 | 22 / 21 | |
| 0.31.5 | 22 / 22 | |
| 0.31.4 | 22 / 22 | |
| 0.31.3 | 22 / 22 | |
| 0.31.2 | 22 / 22 | |
| 0.31.1 | 22 / 22 | |
| 0.31.0 | 22 / 22 |
v0.73.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.73.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.72.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.67.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.64.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.64.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.64.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.64.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.55.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.55.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.55.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.55.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.55.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.54.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.54.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.54.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.54.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.53.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.52.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.52.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.51.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.51.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.51.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.51.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.50.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.