← Home

@radix-ui/react-tooltip

View docs [here](https://radix-ui.com/primitives/docs/components/tooltip).

23
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hadihallakchancestricklandmark-workosnpm-workos

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): SLSA provenance present; gitHead removal reflects CI migration, not a supply-chain concern. ai
npm-metadata no-description AI (npm-metadata): Radix UI packages rely on homepage/repo docs; description omission is stable pattern. ai
provenance no-provenance AI (provenance): Radix UI org does not use Sigstore; not a risk for this established publisher. ai
maintainer-change maintainer-removed AI (maintainer-change): Old Radix maintainers rotated out during WorkOS transition. ai
publish-pattern dormant-publish AI (publish-pattern): Monorepo restructure caused version gap; not indicative of takeover. ai
bogus-package bogus-package AI (bogus-package): Radix UI primitives are well-known; sparse README is a style choice. ai
provenance publisher-changed AI (provenance): chancestrickland is the known Radix/WorkOS maintainer; legitimate org transition. ai
maintainer-change maintainer-added AI (maintainer-change): WorkOS acquisition brought new maintainers; stable for this org. ai
dependencies unvetted-dep:@radix-ui/react-popper AI (dependencies): First-party Radix UI sibling package; not a third-party risk. ai

Versions (showing 23 of 23)

Version Deps Published
1.2.12 12 / 7
1.2.11 12 / 7
1.2.10 12 / 7
1.2.9 12 / 7
1.2.8 12 / 9
1.2.7 12 / 9
1.2.6 12 / 9
1.2.5 12 / 9
1.2.4 12 / 9
1.2.3 12 / 9
1.2.2 12 / 9
1.2.1 12 / 9
1.2.0 12 / 8
1.1.8 12 / 8
1.1.7 12 / 6
1.1.6 12 / 0
1.1.5 12 / 0
1.1.4 12 / 0
1.1.3 12 / 0
1.1.2 12 / 0
1.1.1 12 / 0
1.1.0 12 / 0
1.0.7 13 / 0

v1.2.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.9

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: chancestrickland → GitHub Actions (on 2026-06-06) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-06-06. This could indicate a legitimate maintainer transition or an account compromise.

v1.2.8

2 findings
HIGH Publisher changed: benoitgrelard → chancestrickland (on 2025-08-13) provenance

This version was published by a different npm account than previous versions on 2025-08-13. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.6

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chancestrickland.

v1.2.5

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chancestrickland.

v1.2.4

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chancestrickland.

v1.2.3

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chancestrickland.

v1.2.2

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benoitgrelard → chancestrickland (on 2025-04-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-18. This could indicate a legitimate maintainer transition or an account compromise.

v1.2.1

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benoitgrelard → chancestrickland (on 2025-04-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-18. This could indicate a legitimate maintainer transition or an account compromise.

v1.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.8

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benoitgrelard → chancestrickland (on 2025-02-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-05. This could indicate a legitimate maintainer transition or an account compromise.

v1.1.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.3

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benoitgrelard → chancestrickland (on 2024-10-01) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-01. This could indicate a legitimate maintainer transition or an account compromise.

v1.1.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benoitgrelard → vladmoroz (on 2024-06-19, known maintainer) provenance

This version was published by a different npm account (vladmoroz) than the most recent previously approved version (benoitgrelard) on 2024-06-19, but vladmoroz is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.