@openai/apps-sdk-ui
Design system for building apps for ChatGPT with Apps SDK
4
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
dylan-hurd-openaimoustafa-openaitylersmith-openaiatty-openaitibo-openaidkundel-openaimbolin-openaifouad-openaieasong-openaiaibrahim-openaiapcha-oaiseratch-openaigabor-openai
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition from individual publisher to GitHub Actions CI/CD; SLSA provenance confirms legitimate automation. | ai | |
| phantom-deps | phantom-dep:autoprefixer | AI (phantom-deps): autoprefixer is referenced in PostCSS config files; standard pattern for CSS build tooling in a UI library. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): postcss is used in build config files for CSS processing in this UI library; not directly imported in JS but legitimately referenced. | ai | |
| phantom-deps | phantom-dep:zustand | AI (phantom-deps): zustand is a runtime dependency used in config/convention patterns in this UI library; phantom-dep heuristic is a false positive here. | ai | |
| phantom-deps | phantom-dep:recharts | AI (phantom-deps): recharts is a charting library dependency used in this UI design system; phantom-dep heuristic is a false positive. | ai | |
| phantom-deps | phantom-dep:postcss-mixins | AI (phantom-deps): postcss-mixins is a PostCSS plugin referenced in config files; standard build tooling pattern. | ai | |
| phantom-deps | phantom-dep:postcss-nested | AI (phantom-deps): postcss-nested is a PostCSS plugin referenced in config files; standard build tooling pattern. | ai | |
| phantom-deps | phantom-dep:postcss-functions | AI (phantom-deps): postcss-functions is a PostCSS plugin referenced in config files; standard build tooling pattern. | ai | |
| phantom-deps | phantom-dep:@types/react-syntax-highlighter | AI (phantom-deps): @types/react-syntax-highlighter is a TypeScript type package loaded by convention; phantom-dep heuristic is a known false positive for @types/* packages. | ai | |
| provenance | no-provenance | AI (provenance): OpenAI publisher with strong track record; lack of provenance is common and not disqualifying for this established publisher. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/postcss | AI (phantom-deps): @tailwindcss/postcss is referenced in PostCSS config; standard pattern for Tailwind CSS v4 integration. | ai | |
| phantom-deps | phantom-dep:postcss-value-parser | AI (phantom-deps): postcss-value-parser is a PostCSS utility referenced in config; standard build tooling pattern. | ai | |
| phantom-deps | phantom-dep:postcss-selector-parser | AI (phantom-deps): postcss-selector-parser is a PostCSS utility referenced in config; standard build tooling pattern. | ai | |
| phantom-deps | phantom-dep:@types/mdast | AI (phantom-deps): @types/mdast is a TypeScript type package loaded by convention; phantom-dep heuristic is a known false positive for @types/* packages. | ai | |
| dependencies | unvetted-dep:radix-ui | AI (dependencies): radix-ui is a well-known React UI primitives library; its use in a UI design system is expected and benign. | ai | |
| dependencies | unvetted-dep:react-merge-refs | AI (dependencies): react-merge-refs is a small, popular utility for merging React refs; standard dependency for UI component libraries. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.2.2 | 14 / 72 | |
| 0.2.1 | 14 / 72 | |
| 0.2.0 | 26 / 62 | |
| 0.1.0 | 27 / 62 |
v0.2.2
2 findings
HIGH
Publisher changed: tylersmith-openai → GitHub Actions (on 2026-05-05)
provenance
This version was published by a different npm account than previous versions on 2026-05-05. This could indicate a legitimate maintainer transition or an account compromise.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.