@pega/cosmos-react-demos
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/work/GenAICoach/GenAICoach.mocks.js | AI (source-diff): File is readable mock data for Storybook stories, not obfuscated; long lines are normal for this package's generated output. | ai | |
| source-diff | obfuscated-file:lib/core/IconPicker/IconPicker.mocks.d.ts | AI (source-diff): Long line is a TypeScript union type of icon name strings — standard generated .d.ts output, not obfuscation. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Back-published older version from established Pegasystems monorepo; not indicative of account takeover. | ai | |
| phantom-deps | phantom-dep:polished | AI (phantom-deps): Utility dep used indirectly via styled-components ecosystem in demos package. | ai | |
| phantom-deps | phantom-dep:@types/styled-components | AI (phantom-deps): Type-only dep; not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type-only dev dep; framework-scoped, not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:emoji-mart | AI (phantom-deps): Emoji picker used in demos/storybook stories; loaded by config, not direct import. | ai | |
| phantom-deps | phantom-dep:tinymce | AI (phantom-deps): Rich-text editor used in demos/storybook stories; loaded by config, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/dompurify | AI (phantom-deps): Type-only dep; not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): Type-only dep; not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:@types/emoji-mart | AI (phantom-deps): Type-only dep; not directly imported by convention. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 8.0.1 | 20 / 1 | |
| 7.17.0 | 20 / 1 | |
| 7.16.5 | 20 / 1 | |
| 7.16.4 | 20 / 1 | |
| 7.16.3 | 20 / 1 | |
| 7.16.2 | 20 / 1 | |
| 7.16.1 | 20 / 1 | |
| 7.16.0 | 20 / 1 | |
| 7.15.0 | 20 / 1 | |
| 7.14.1 | 20 / 1 | |
| 7.14.0 | 20 / 1 | |
| 7.13.0 | 20 / 1 | |
| 7.12.0 | 20 / 1 | |
| 7.11.12 | 20 / 1 | |
| 7.11.11 | 20 / 1 | |
| 7.11.10 | 20 / 1 | |
| 6.6.3 | 20 / 1 | |
| 6.6.2 | 20 / 1 | |
| 6.6.1 | 20 / 1 |
v8.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.14.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.