@openui5/sap.ui.documentation
OpenUI5 UI Library sap.ui.documentation
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): sap-ospo-admin is SAP's open-source program office admin account; expected for this org's packages. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is @openui5/themelib_sap_horizon, a same-org SAP theme library; not a suspicious third-party dep. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are images, message bundles, and third-party JS (highlight.js, DataTables) — expected documentation SDK assets. | ai | |
| source-diff | obfuscated-file:src/sap/ui/documentation/sdk/thirdparty/esprima.js | AI (source-diff): esprima.js is a well-known open-source JS parser; minified bundling is expected for this thirdparty dependency. | ai | |
| phantom-deps | phantom-dep:@openui5/themelib_sap_fiori_3 | AI (phantom-deps): Same as above; UI5 runtime loader pattern. | ai | |
| phantom-deps | phantom-dep:@openui5/sap.m | AI (phantom-deps): UI5 modules are loaded via the UI5 runtime loader, not static imports; phantom-dep is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@openui5/themelib_sap_horizon | AI (phantom-deps): Same as above; UI5 runtime loader pattern. | ai | |
| phantom-deps | phantom-dep:@openui5/sap.ui.core | AI (phantom-deps): Same as above; UI5 runtime loader pattern. | ai | |
| phantom-deps | phantom-dep:@openui5/sap.ui.layout | AI (phantom-deps): Same as above; UI5 runtime loader pattern. | ai | |
| phantom-deps | phantom-dep:@openui5/themelib_sap_belize | AI (phantom-deps): Same as above; UI5 runtime loader pattern. | ai |
Versions (showing 28 of 28)
| Version | Deps | Published |
|---|---|---|
| 1.148.0 | 6 / 0 | |
| 1.147.1 | 6 / 0 | |
| 1.147.0 | 6 / 0 | |
| 1.145.3 | 6 / 0 | |
| 1.145.2 | 6 / 0 | |
| 1.145.1 | 6 / 0 | |
| 1.142.9 | 6 / 0 | |
| 1.142.8 | 6 / 0 | |
| 1.142.7 | 6 / 0 | |
| 1.136.17 | 6 / 0 | |
| 1.136.16 | 6 / 0 | |
| 1.136.15 | 6 / 0 | |
| 1.120.45 | 6 / 0 | |
| 1.120.44 | 6 / 0 | |
| 1.120.43 | 6 / 0 | |
| 1.108.51 | 5 / 0 | |
| 1.108.50 | 5 / 0 | |
| 1.96.46 | 5 / 0 | |
| 1.96.45 | 5 / 0 | |
| 1.84.56 | 5 / 0 | |
| 1.84.55 | 5 / 0 | |
| 1.71.78 | 3 / 0 | |
| 1.71.77 | 3 / 0 | |
| 1.71.76 | 3 / 0 | |
| 1.71.75 | 3 / 0 | |
| 1.71.74 | 3 / 0 | |
| 1.71.73 | 3 / 0 | |
| 1.71.72 | 3 / 0 |
v1.148.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.147.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.145.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.145.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.145.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.142.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.142.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.142.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.136.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.136.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.136.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.120.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.120.44
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.120.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.108.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.108.50
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.46
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.84.56
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.84.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.71.78
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.71.77
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.71.76
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.71.75
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.71.74
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.71.73
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.71.72
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.