@planningcenter/tapestry-react

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jonsuhkeolakylemellandertimmorgandanott

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Internal org package; provenance not part of their publish workflow across 173 versions.	ai	2026/05/14
phantom-deps	phantom-dep:@planningcenter/icons	AI (phantom-deps): Same org scope; phantom-dep heuristic false positive.	ai	2026/05/14
phantom-deps	phantom-dep:match-sorter	AI (phantom-deps): Likely re-exported or used indirectly; stable pattern for this component library.	ai	2026/05/14
dependencies	unvetted-dep:@planningcenter/react-beautiful-dnd	AI (dependencies): Same org fork of react-beautiful-dnd; internal dependency, not a third-party risk.	ai	2026/05/14
dependencies	unvetted-dep:focus-options-polyfill	AI (dependencies): Well-known accessibility polyfill; no malicious history.	ai	2026/05/14
dependencies	unvetted-dep:tiny-spring	AI (dependencies): Small animation utility; no known malicious history, stable dep for this package.	ai	2026/05/14
dependencies	unvetted-dep:@planningcenter/icons	AI (dependencies): Same org scope; internal dependency, not a third-party risk.	ai	2026/05/14
license	uncommon-license:UNLICENSED	AI (license): Intentionally proprietary; consistent across all 173 versions of this org package.	ai	2026/05/08
bogus-package	bogus-package	AI (bogus-package): Internal org component library; sparse README and no keywords are expected for a private/scoped package.	ai	2026/05/08
phantom-deps	phantom-dep:@planningcenter/tapestry	AI (phantom-deps): Same-org sibling dep; stable false positive.	ai	2026/05/05
phantom-deps	phantom-dep:mitt	AI (phantom-deps): Large UI component library; deps referenced in config/re-exports are a stable pattern.	ai	2026/05/05
phantom-deps	phantom-dep:popper-max-size-modifier	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:lodash	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:date-fns	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:polished	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:mousetrap	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:tiny-spring	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:react-sticky-box	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:@popmotion/popcorn	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:@react-hook/window-size	AI (phantom-deps): Same as above; stable false positive for this package.	ai	2026/05/05

Versions (showing 18 of 18)

Version	Deps	Published
4.15.0	20 / 33	2026-05-26
4.14.4	20 / 33	2026-04-30
4.14.3	20 / 33	2026-04-16
4.14.2	20 / 33	2026-04-09
4.14.1	20 / 33	2026-04-02
4.14.0	20 / 33	2026-03-19
4.13.2	20 / 33	2026-02-19
4.13.1	20 / 33	2026-01-22
4.13.0	20 / 33	2025-12-08
4.12.3	20 / 32	2025-11-13
4.12.2	20 / 32	2025-10-28
4.12.1	20 / 32	2025-10-17
4.12.0	20 / 32	2025-09-30
4.11.5	20 / 32	2025-08-06
4.11.4	20 / 32	2025-07-29
4.11.3	20 / 32	2025-06-09
4.11.2	20 / 32	2025-06-02
4.11.1	20 / 32	2025-05-28

v4.15.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.14.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.14.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.13.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.13.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.13.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.12.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.12.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.12.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.12.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.11.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.11.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.11.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.11.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.11.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.