@quadrel-enterprise-ui/framework
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:ngx-editor | AI (dependencies): ngx-editor is a well-known Angular rich-text editor; stable legitimate dependency for this UI framework package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large Angular UI library; many new source files expected across version bumps. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Enterprise framework package with 161 versions and a real repo; missing description is a style issue, not a risk signal. | ai | |
| provenance | no-provenance | AI (provenance): Published via GitHub Actions CI; no provenance attestation but consistent with the package's established publishing pattern. | ai | |
| phantom-deps | phantom-dep:event-source-polyfill | AI (phantom-deps): event-source-polyfill referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known Angular/TypeScript implicit runtime dep; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:@oblique/service-navigation-web-component | AI (phantom-deps): Web component dep referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): uuid referenced in config/build files; stable false positive for this Angular framework package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:deep-object-diff | AI (phantom-deps): deep-object-diff referenced in config files; stable false positive for this package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 20.15.1 | 8 / 0 | |
| 20.15.0 | 8 / 0 | |
| 20.14.0 | 8 / 0 | |
| 20.13.0 | 8 / 0 | |
| 20.12.0 | 8 / 0 | |
| 20.11.1 | 8 / 0 | |
| 20.10.1 | 8 / 0 | |
| 20.10.0 | 8 / 0 | |
| 20.9.0 | 8 / 0 | |
| 20.7.0 | 8 / 0 | |
| 19.14.0 | 7 / 0 | |
| 19.13.0 | 7 / 0 | |
| 19.12.2 | 7 / 0 |
v20.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v19.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v19.12.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.