← Home

@react-pdf/pdfkit

npm Repository Homepage
3
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

diegomura

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:base64-decode AI (semgrep): Decodes data URI images for PDF embedding; standard PDF library pattern, not malicious. ai
phantom-deps phantom-dep:vite-compatible-readable-stream AI (phantom-deps): Rollup config alias; not a direct import but legitimately used at build time. ai
phantom-deps phantom-dep:browserify-zlib AI (phantom-deps): Rollup config alias for browser bundle; stable false positive for this package. ai
phantom-deps phantom-dep:@babel/runtime AI (phantom-deps): Framework-scoped runtime dep loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@noble/hashes AI (phantom-deps): Crypto utility dep; likely bundled via rollup rather than directly imported. ai

Versions (showing 3 of 3)

Version Deps Published
5.1.1 10 / 1
5.1.0 10 / 1
5.0.0 10 / 1

v5.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.