@openedx/paragon
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation via Sigstore confirms CI/CD publish; no material changes in diff; established package with strong ecosystem trust. | ai | |
| dependencies | unvetted-dep:mailto-link | AI (dependencies): Small utility dep appropriate for a UI component library; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:postcss-map | AI (dependencies): PostCSS plugin used in build tooling; low-risk, stable pattern. | ai | |
| dependencies | unvetted-dep:postcss-minify | AI (dependencies): PostCSS minification plugin; build tooling, low-risk. | ai | |
| dependencies | unvetted-dep:email-prop-type | AI (dependencies): React prop-type validator; small, purpose-appropriate dep for a UI library. | ai | |
| phantom-deps | phantom-dep:log-update | AI (phantom-deps): log-update used in CLI tooling scripts; stable FP. | ai | |
| phantom-deps | phantom-dep:postcss-map | AI (phantom-deps): postcss-map used via PostCSS config, not direct JS import; stable FP. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in test files only, not runtime code; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:uncontrollable | AI (phantom-deps): uncontrollable used via re-exports or indirect imports; stable FP for this component library. | ai | |
| phantom-deps | phantom-dep:cli-progress | AI (phantom-deps): cli-progress used in CLI scripts; stable FP. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Large component library with extensive docs; README link density and missing keywords are expected, not spam indicators. | ai | |
| phantom-deps | phantom-dep:bootstrap | AI (phantom-deps): bootstrap is a peer/runtime dep used via SCSS imports and config files, not direct JS imports; stable FP. | ai | |
| phantom-deps | phantom-dep:tabbable | AI (phantom-deps): tabbable is used transitively via react-focus-on; phantom-dep FP for this package. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): glob is used in CLI/build scripts referenced in config; stable FP for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 23.22.0 | 44 / 49 | |
| 23.21.3 | 44 / 49 | |
| 23.21.1 | 44 / 49 | |
| 23.21.0 | 44 / 49 | |
| 23.20.3 | 44 / 51 | |
| 23.20.2 | 44 / 51 | |
| 23.20.1 | 44 / 51 | |
| 23.20.0 | 44 / 51 |
v23.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.21.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.21.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.20.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.20.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.20.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v23.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.