@nocobase/client — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

chenosjiannlu

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
license	copyleft-license:AGPL-3.0	AI (license): AGPL-3.0 is declared and consistent across versions; users are aware of copyleft terms.	ai	2026/04/28
dependencies	unvetted-dep:@antv/g2plot	AI (dependencies): @antv/g2plot is AntV's charting library; appropriate for a no-code platform with data visualization.	ai	2026/04/27
dependencies	unvetted-dep:react-to-print	AI (dependencies): react-to-print is a standard print utility for React; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:tabulator-tables	AI (dependencies): tabulator-tables is a well-known interactive table library; appropriate for a no-code data platform.	ai	2026/04/27
dependencies	unvetted-dep:react-beautiful-dnd	AI (dependencies): react-beautiful-dnd is a widely-used drag-and-drop library; appropriate for this UI package.	ai	2026/04/27
dependencies	unvetted-dep:react-drag-listview	AI (dependencies): react-drag-listview is a drag-and-drop list component; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:react-image-lightbox	AI (dependencies): react-image-lightbox is a standard image viewer component; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:@ant-design/pro-layout	AI (dependencies): @ant-design/pro-layout is an official Ant Design Pro component; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:@ahooksjs/use-url-state	AI (dependencies): @ahooksjs/use-url-state is part of the ahooks ecosystem; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:@types/tabulator-tables	AI (dependencies): TypeScript type definitions package; no runtime risk.	ai	2026/04/27
dependencies	unvetted-dep:markdown-it-highlightjs	AI (dependencies): markdown-it-highlightjs is a syntax highlighting plugin for markdown-it; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:use-deep-compare-effect	AI (dependencies): use-deep-compare-effect is a small React hook utility; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:quill-image-resize-module-react	AI (dependencies): quill-image-resize-module-react is a Quill editor plugin; appropriate alongside react-quill.	ai	2026/04/27
dependencies	unvetted-dep:vditor	AI (dependencies): vditor is a legitimate Markdown editor library; stable dependency for this UI framework package.	ai	2026/04/27
dependencies	unvetted-dep:antd-style	AI (dependencies): antd-style is the official CSS-in-JS solution for Ant Design; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:mime-match	AI (dependencies): mime-match is a small, well-known MIME type matching utility; no risk for this package.	ai	2026/04/27
dependencies	unvetted-dep:markdown-it	AI (dependencies): markdown-it is a widely-used Markdown parser; appropriate for a no-code platform client.	ai	2026/04/27
dependencies	unvetted-dep:react-quill	AI (dependencies): react-quill is a standard React rich-text editor wrapper; appropriate for this UI package.	ai	2026/04/27
dependencies	unvetted-dep:html5-qrcode	AI (dependencies): html5-qrcode is a legitimate QR code scanning library; appropriate for this package.	ai	2026/04/27
dependencies	unvetted-dep:react-iframe	AI (dependencies): react-iframe is a simple React iframe wrapper; appropriate for a no-code platform.	ai	2026/04/27
dependencies	unvetted-dep:react-js-cron	AI (dependencies): react-js-cron is a cron expression UI component; appropriate for workflow scheduling features.	ai	2026/04/27
phantom-deps	phantom-dep:react-helmet	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:react-iframe	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@formily/grid	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:react-to-print	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:react-beautiful-dnd	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:i18next-http-backend	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@ahooksjs/use-url-state	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:use-deep-compare-effect	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@budibase/handlebars-helpers	AI (phantom-deps): Large UI framework with dynamic imports/plugin architecture; phantom dep signals are expected and stable for this package.	ai	2026/04/27
provenance	no-provenance	AI (provenance): NocoBase publishes many packages without provenance attestation; this is consistent across their entire package ecosystem and not a risk signal for this publisher.	ai	2026/04/26
bogus-package	bogus-package	AI (bogus-package): @nocobase/client is a well-established UI framework package with 1844 days age, 1012 versions, and 97 approved inbound edges. README/metadata signals are false positives for this scoped package.	ai	2026/04/25

Versions (showing 34 of 34)

Version	Deps	Published
2.0.56	75 / 7	2026-05-21
2.0.55	75 / 7	2026-05-18
2.0.54	75 / 7	2026-05-15
2.0.53	75 / 7	2026-05-14
2.0.52	75 / 7	2026-05-13
2.0.51	75 / 7	2026-05-10
2.0.50	75 / 7	2026-05-09
2.0.49	75 / 7	2026-05-06
2.0.48	75 / 7	2026-05-04
2.0.47	75 / 7	2026-05-01
2.0.46	75 / 7	2026-04-28
2.0.45	75 / 7	2026-04-27
2.0.44	75 / 7	2026-04-26
2.0.43	75 / 7	2026-04-24
2.0.37	75 / 7	2026-04-14
2.0.30	75 / 7	2026-03-30
2.0.28	75 / 7	2026-03-27
2.0.27	75 / 7	2026-03-26
2.0.26	75 / 7	2026-03-25
1.9.63	64 / 7	2026-06-06
1.9.57	64 / 7	2026-04-02
1.9.41	64 / 7	2026-02-02
1.9.9	62 / 7	2025-11-19
1.9.8	62 / 7	2025-11-18
1.9.7	62 / 7	2025-11-17
1.9.6	62 / 7	2025-11-12
1.9.5	62 / 7	2025-11-10
1.9.4	62 / 7	2025-11-10
1.9.3	62 / 7	2025-11-05
1.9.2	62 / 7	2025-11-04
1.9.1	62 / 7	2025-11-04
1.9.0	62 / 7	2025-11-02
1.8.33	62 / 7	2025-10-29
1.8.32	62 / 7	2025-10-27

v2.0.56

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.55

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.54

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.53

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.52

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.51

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.50

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.49

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.48

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.47

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.45

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.44

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.43

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.37

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.30

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.28

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.27

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.26

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.63

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.57

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.41

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.9.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.33

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.32

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.