@rc-component/dialog
dialog ui component for react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase from accidentally shipping dumi docs build in dist/; not a payload. | ai | |
| source-diff | obfuscated-file:dist/42e76558-async.f2db19d4.js | AI (source-diff): Dumi docs build output (minified React demo chunks), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/779f92e1-async.d95373de.js | AI (source-diff): Dumi docs build output (minified vendor chunk), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/9e8e2db3-async.82b5afee.js | AI (source-diff): Dumi docs build output (minified demo chunk), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/bd24602e-async.050c580d.js | AI (source-diff): Dumi docs build output (minified demo chunk), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/common-async.d12bbb31.js | AI (source-diff): Dumi docs build output (minified common chunk), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/f2210531-async.0ea798a7.js | AI (source-diff): Dumi docs build output (minified changelog chunk), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/fff33d9f-async.4061bf6f.js | AI (source-diff): Dumi docs build output (minified demo chunk), not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/umi.ebc6765d.js | AI (source-diff): Dumi docs build entry point (minified runtime), not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/umi.ebc6765d.js | AI (source-diff): Dumi runtime chunk loader with dynamic import; standard docs build pattern. | ai | |
| source-diff | net-exec-file:dist/vendors-async.js | AI (source-diff): Vendor chunk from dumi doc build; React/ant-design icons bundle, not malicious. | ai | |
| source-diff | obfuscated-file:dist/meta__docs-async.js | AI (source-diff): Dumi documentation build output; bundled CSS module mappings, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/umi.js | AI (source-diff): Dumi/mako documentation site bundle accidentally published; not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/umi.js | AI (source-diff): Dumi doc-site bundle with React hot-reload; network+exec pattern is framework boilerplate. | ai | |
| provenance | no-provenance | AI (provenance): The @rc-component org does not publish with Sigstore provenance; this is consistent across the ecosystem and not a security concern for this package. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.10.0 | 4 / 27 | |
| 1.9.0 | 4 / 27 | |
| 1.8.4 | 4 / 27 | |
| 1.8.3 | 4 / 27 | |
| 1.8.2 | 4 / 27 | |
| 1.8.1 | 4 / 27 | |
| 1.8.0 | 4 / 27 | |
| 1.7.0 | 4 / 27 | |
| 1.6.2 | 4 / 27 | |
| 1.6.1 | 4 / 27 | |
| 1.6.0 | 4 / 27 | |
| 1.5.1 | 4 / 27 | |
| 1.0.1 | 5 / 34 | |
| 1.0.0 | 5 / 34 |
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zombiej) than the most recent previously approved version (afc163) on 2026-01-05, but zombiej is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.7.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zombiej) than the most recent previously approved version (afc163) on 2025-12-24, but zombiej is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.6.2
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zombiej) than the most recent previously approved version (afc163) on 2025-12-09, but zombiej is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.6.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zombiej) than the most recent previously approved version (afc163) on 2025-12-09, but zombiej is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.