@pega/cosmos-react-rte — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bob-difronzocpmotionssowersbyricmarspega-cosmos

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@pega/cosmos-react-core	AI (dependencies): Internal Pega monorepo sibling dep; versioned in lockstep with this package across 1281+ releases.	ai	2026/05/27
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): Peer/config-level dep for React component library; stable false positive.	ai	2026/05/01
phantom-deps	phantom-dep:@types/marked	AI (phantom-deps): TypeScript type package; convention-loaded.	ai	2026/05/01
phantom-deps	phantom-dep:@types/react-dom	AI (phantom-deps): TypeScript type package; phantom-dep false positive for type-only deps.	ai	2026/05/01
phantom-deps	phantom-dep:@types/parse5	AI (phantom-deps): TypeScript type package; phantom-dep false positive for type-only deps.	ai	2026/05/01
phantom-deps	phantom-dep:@types/stylis	AI (phantom-deps): TypeScript type package; phantom-dep false positive for type-only deps.	ai	2026/05/01
bogus-package	bogus-package	AI (bogus-package): Internal Pegasystems component library; missing metadata is cosmetic, not indicative of malice.	ai	2026/05/01
phantom-deps	phantom-dep:react-popper	AI (phantom-deps): Referenced in config files per analyzer; stable false positive for this RTE component package.	ai	2026/05/01
phantom-deps	phantom-dep:@popperjs/core	AI (phantom-deps): Referenced in config files per analyzer; stable false positive for this RTE component package.	ai	2026/05/01
phantom-deps	phantom-dep:@types/styled-components	AI (phantom-deps): TypeScript type package; phantom-dep false positive for type-only deps.	ai	2026/05/01
npm-metadata	no-description	AI (npm-metadata): Established internal component library; missing description is a style issue, not a risk signal.	ai	2026/05/01
phantom-deps	phantom-dep:@types/react	AI (phantom-deps): TypeScript type package; phantom-dep false positive for type-only deps.	ai	2026/05/01

Versions (showing 51 of 67)

View all versions

Version	Deps	Published
8.21.7	20 / 5	2026-05-26
8.21.6	20 / 5	2026-05-22
8.21.5	20 / 5	2026-05-19
8.21.4	20 / 5	2026-05-15
8.21.3	20 / 5	2026-05-14
8.21.2	20 / 5	2026-05-13
8.21.1	20 / 5	2026-05-05
8.21.0	20 / 5	2026-04-30
8.20.0	20 / 5	2026-04-30
8.19.0	20 / 5	2026-04-28
8.18.3	20 / 5	2026-04-27
8.18.2	20 / 5	2026-04-27
8.18.1	20 / 5	2026-04-23
8.18.0	20 / 5	2026-04-22
8.17.2	20 / 5	2026-04-20
8.17.1	20 / 5	2026-04-16
8.17.0	20 / 5	2026-04-10
8.16.1	20 / 5	2026-04-08
8.16.0	20 / 5	2026-04-02
8.15.5	20 / 5	2026-03-26
8.15.4	20 / 5	2026-03-25
8.15.3	20 / 5	2026-03-18
8.15.2	20 / 5	2026-03-11
8.15.1	20 / 5	2026-02-18
8.15.0	20 / 5	2026-02-06
8.14.0	20 / 5	2026-02-05
8.13.1	20 / 5	2026-01-28
8.13.0	20 / 5	2026-01-23
8.12.1	20 / 5	2026-01-21
8.12.0	20 / 5	2026-01-12
8.11.0	20 / 5	2025-12-23
8.10.0	20 / 5	2025-12-12
8.9.5	20 / 5	2025-12-04
8.9.4	20 / 5	2025-11-28
8.9.3	20 / 5	2025-11-21
8.9.2	20 / 5	2025-11-21
8.9.1	20 / 5	2025-11-20
8.9.0	20 / 5	2025-11-19
8.8.1	20 / 5	2025-11-17
8.8.0	20 / 5	2025-10-30
7.17.0	21 / 5	2026-06-04
7.16.5	21 / 5	2026-05-29
7.16.4	21 / 5	2026-05-27
7.16.3	21 / 5	2026-05-22
7.16.2	21 / 5	2026-05-22
7.16.1	21 / 5	2026-05-14
7.16.0	21 / 5	2026-05-08
7.15.0	21 / 5	2026-03-23
7.14.1	21 / 5	2026-03-09
7.14.0	21 / 5	2026-02-27
7.13.0	21 / 5	2026-02-21