@patternfly/documentation-framework
A framework to build documentation for PatternFly.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:webpack-cli | AI (phantom-deps): webpack-cli is declared as a dependency and used in build scripts; phantom-dep heuristic false positive. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Pinned templating dep in a doc framework; expected usage pattern. | ai | |
| dependencies | unvetted-dep:html-formatter | AI (dependencies): Pinned utility dep in a doc framework; expected usage pattern. | ai | |
| dependencies | unvetted-dep:hast-to-hyperscript | AI (dependencies): Pinned AST utility dep; standard in MDX/remark doc toolchains. | ai | |
| dependencies | unvetted-dep:@patternfly/ast-helpers | AI (dependencies): First-party PatternFly scoped package; stable for this package. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): Webpack/build config-injected loader; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): Browser polyfill referenced in webpack config; stable false positive. | ai | |
| phantom-deps | phantom-dep:puppeteer | AI (phantom-deps): Used indirectly via puppeteer-cluster for screenshot generation; stable false positive. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack loader referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:file-saver | AI (phantom-deps): Referenced in config/build context; stable false positive. | ai | |
| phantom-deps | phantom-dep:url-loader | AI (phantom-deps): Webpack loader in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Webpack loader in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Webpack loader in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:null-loader | AI (phantom-deps): Webpack loader in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Webpack loader in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Framework-scoped babel preset; stable false positive. | ai | |
| phantom-deps | phantom-dep:webpack-dev-server | AI (phantom-deps): Dev server referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/preset-react | AI (phantom-deps): Framework-scoped babel preset; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped, loaded by convention via babel-loader; stable false positive. | ai | |
| phantom-deps | phantom-dep:html-formatter | AI (phantom-deps): Referenced in config context; stable false positive. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used for live component preview rendering in a docs framework — expected pattern, not malicious. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads user-configured route files by convention; standard docs framework pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI build tool uses fork() to spawn build processes; expected for a build/docs framework. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 6.38.5 | 58 / 0 | |
| 6.38.0 | 58 / 0 | |
| 6.37.0 | 58 / 0 | |
| 6.27.2 | 62 / 0 | |
| 6.19.0 | 62 / 0 | |
| 6.17.0 | 62 / 0 | |
| 6.16.0 | 62 / 0 | |
| 6.10.29 | 62 / 0 | |
| 6.10.11 | 62 / 0 | |
| 6.10.3 | 62 / 0 | |
| 6.10.1 | 62 / 0 |
v6.38.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.38.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.37.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.27.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.19.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.17.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.