@ohif/ui
A set of React components for Medical Imaging Viewers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/ohif-ui.umd.js | AI (source-diff): Standard UMD bundle; encoded strings are base64 codec and library code, not obfuscated payloads. Stable pattern for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established OHIF medical imaging package; missing README/keywords metadata is a known pattern across all versions. | ai | |
| phantom-deps | phantom-dep:react-select | AI (phantom-deps): Config-referenced React component; stable for this UI library. | ai | |
| phantom-deps | phantom-dep:react-window | AI (phantom-deps): Config-referenced React component; stable for this UI library. | ai | |
| phantom-deps | phantom-dep:browser-detect | AI (phantom-deps): Config-referenced utility; stable for this package. | ai | |
| phantom-deps | phantom-dep:lodash.debounce | AI (phantom-deps): Config-referenced utility; stable for this package. | ai | |
| phantom-deps | phantom-dep:react-draggable | AI (phantom-deps): Config-referenced React component; stable for this UI library. | ai | |
| phantom-deps | phantom-dep:lodash.clonedeep | AI (phantom-deps): Config-referenced utility; stable for this package. | ai | |
| phantom-deps | phantom-dep:d3-selection | AI (phantom-deps): Config-referenced d3 module; stable pattern for this charting library. | ai | |
| phantom-deps | phantom-dep:react-test-renderer | AI (phantom-deps): Testing library; stable for this package. | ai | |
| phantom-deps | phantom-dep:react-error-boundary | AI (phantom-deps): Config-referenced React component; stable for this UI library. | ai | |
| phantom-deps | phantom-dep:react-with-direction | AI (phantom-deps): Config-referenced React component; stable for this UI library. | ai | |
| phantom-deps | phantom-dep:react-dnd-html5-backend | AI (phantom-deps): Config-referenced backend; stable for this package. | ai | |
| phantom-deps | phantom-dep:react-outside-click-handler | AI (phantom-deps): Config-referenced React component; stable for this UI library. | ai | |
| phantom-deps | phantom-dep:d3-scale-chromatic | AI (phantom-deps): Config-referenced d3 module; stable pattern for this charting library. | ai | |
| phantom-deps | phantom-dep:lodash.merge | AI (phantom-deps): Config-referenced utility; stable for this package. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:classnames | AI (phantom-deps): Same pattern. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): @ohif/ui is a scoped package; Levenshtein distance from short names is meaningless for scoped packages. | ai | |
| phantom-deps | phantom-dep:react-modal | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:react-dates | AI (phantom-deps): Same pattern. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Same — scoped package name, no impersonation possible. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Same — scoped package name, no impersonation possible. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Same — scoped package name, no impersonation possible. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Same — scoped package name, no impersonation possible. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Large UI library; deps referenced in webpack/build config files, not direct imports — stable false positive. | ai | |
| phantom-deps | phantom-dep:moment | AI (phantom-deps): Same pattern — build/config reference, not a phantom dep concern. | ai | |
| phantom-deps | phantom-dep:swiper | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:d3-axis | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:d3-zoom | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:webpack | AI (phantom-deps): webpack is a build tool referenced in build config, not a phantom dep. | ai | |
| phantom-deps | phantom-dep:d3-array | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:d3-scale | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:d3-shape | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:mousetrap | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:react-dnd | AI (phantom-deps): Same pattern. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 3.12.4 | 29 / 9 | |
| 3.12.3 | 29 / 9 | |
| 3.12.2 | 29 / 9 | |
| 3.12.1 | 29 / 9 | |
| 3.12.0 | 30 / 9 | |
| 3.11.1 | 30 / 9 | |
| 3.11.0 | 30 / 18 | |
| 3.10.4 | 30 / 18 | |
| 3.10.2 | 30 / 18 |
v3.12.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.1
2 findingsModified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.