@opentiny/tiny-robot
TinyRobot 是一个 AI 对话组件库,提供了丰富的 AI 交互组件,助力开发者快速构建企业级 AI 应用;同时也是一个智能助手,支持普通 AI 问答、也支持集成 MCP Server,让 AI 真正帮人“干活”。
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@opentiny/tiny-robot-svgs | AI (phantom-deps): Same-org dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentiny/vue | AI (phantom-deps): Same-org dependency; likely resolved via bundling or peer resolution, not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:@opentiny/vue-icon | AI (phantom-deps): Same-org dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentiny/vue-input | AI (phantom-deps): Same-org dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentiny/vue-button | AI (phantom-deps): Same-org dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentiny/vue-tooltip | AI (phantom-deps): Same-org dependency; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a well-known, widely-used Markdown renderer; expected dependency for a chat UI component. | ai | |
| dependencies | unvetted-dep:@opentiny/vue | AI (dependencies): Same opentiny org; expected peer UI framework dependency for this component package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Metadata gaps are typical of monorepo sub-packages; 117 versions and consistent download history confirm legitimacy. | ai | |
| phantom-deps | phantom-dep:@floating-ui/dom | AI (phantom-deps): @floating-ui/dom is a declared runtime dep used transitively in the component library; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:jsonrepair | AI (phantom-deps): jsonrepair is a runtime dep bundled into dist; phantom-dep heuristic fires because it's not directly imported at the package root. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.4.1 | 14 / 14 | |
| 0.4.0 | 14 / 14 | |
| 0.3.3 | 5 / 12 | |
| 0.3.2 | 5 / 12 | |
| 0.3.1 | 5 / 12 | |
| 0.3.0 | 5 / 12 | |
| 0.2.15 | 8 / 13 | |
| 0.2.14 | 8 / 13 |
v0.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.