@primer/react
An implementation of GitHub's Primer Design System using React
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@lit-labs/react | AI (dependencies): Well-known Google/Lit ecosystem package; stable dependency for this design system. | ai | |
| dependencies | unvetted-dep:@primer/behaviors | AI (dependencies): First-party @primer org dependency; consistent with this package's identity. | ai | |
| dependencies | unvetted-dep:@primer/primitives | AI (dependencies): First-party @primer org dependency; consistent with this package's identity. | ai | |
| dependencies | unvetted-dep:@github/mini-throttle | AI (dependencies): First-party @github org utility; consistent with this package's publisher. | ai | |
| dependencies | unvetted-dep:@oddbird/popover-polyfill | AI (dependencies): Known polyfill from OddBird; standard browser compatibility dependency. | ai | |
| dependencies | unvetted-dep:@primer/live-region-element | AI (dependencies): First-party @primer org dependency; consistent with this package's identity. | ai | |
| dependencies | unvetted-dep:@github/relative-time-element | AI (dependencies): First-party @github org web component; consistent with this package's publisher. | ai | |
| dependencies | unvetted-dep:@github/tab-container-element | AI (dependencies): First-party @github org web component; consistent with this package's publisher. | ai | |
| phantom-deps | phantom-dep:@primer/primitives | AI (phantom-deps): Same org scope; likely used in build/config rather than direct import. | ai | |
| phantom-deps | phantom-dep:hsluv | AI (phantom-deps): Listed in package.json dependencies; used in color processing build scripts. | ai | |
| phantom-deps | phantom-dep:react-intersection-observer | AI (phantom-deps): Referenced in config files per finding; stable false positive for this package. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 38.27.0 | 20 / 88 | |
| 38.26.0 | 20 / 88 | |
| 38.25.0 | 20 / 88 | |
| 38.24.0 | 20 / 88 | |
| 38.23.0 | 20 / 88 | |
| 38.22.0 | 20 / 88 | |
| 38.21.1 | 20 / 88 | |
| 38.21.0 | 20 / 88 | |
| 38.20.0 | 20 / 88 | |
| 38.19.0 | 21 / 88 | |
| 38.18.0 | 21 / 87 | |
| 38.17.0 | 21 / 87 | |
| 38.16.0 | 21 / 87 | |
| 38.15.1 | 20 / 87 | |
| 38.15.0 | 20 / 87 | |
| 38.14.0 | 20 / 87 | |
| 38.13.0 | 19 / 88 | |
| 38.12.0 | 19 / 88 | |
| 38.11.0 | 19 / 88 | |
| 38.10.0 | 19 / 88 | |
| 38.9.0 | 19 / 88 | |
| 38.8.0 | 19 / 88 | |
| 38.7.1 | 19 / 88 | |
| 38.7.0 | 19 / 88 | |
| 38.6.2 | 19 / 88 | |
| 38.6.1 | 19 / 88 | |
| 38.6.0 | 19 / 88 | |
| 38.5.0 | 19 / 92 | |
| 38.4.0 | 19 / 92 | |
| 38.3.0 | 19 / 92 | |
| 38.2.0 | 19 / 91 | |
| 38.1.0 | 19 / 91 | |
| 38.0.0 | 19 / 93 |
v38.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.25.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.18.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v38.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v38.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.