@octaviaflow/icons — Greenflagged

Icons for digital and software products using the OctaviaFlow Design System

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

vishal035

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/index.cjs	AI (source-diff): Sample shows readable bundled React/SVG icon code; long lines are from bundled SVG paths, not obfuscation.	ai	2026/05/13
source-diff	obfuscated-file:dist/index.js	AI (source-diff): Same as index.cjs — ESM bundle of icon components, not obfuscated.	ai	2026/05/13
phantom-deps	phantom-dep:clsx	AI (phantom-deps): clsx is a legitimate utility; phantom-dep heuristic fires because it's used in config/build rather than directly imported in reviewed source.	ai	2026/05/13
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped design-system icons package; edit-distance match to 'cors' is a heuristic false positive with no semantic similarity.	ai	2026/04/28
phantom-deps	phantom-dep:ora	AI (phantom-deps): ora is a build-time CLI dependency used in tasks scripts; not imported in runtime code.	ai	2026/04/28
phantom-deps	phantom-dep:chalk	AI (phantom-deps): chalk is a build-time CLI dependency used in tasks scripts; not imported in runtime code.	ai	2026/04/28