← Home

@reference-ui/icons

npm Repository Homepage

Generated Material Symbols React components for Reference UI.

10
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

peacelove

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/runtime/reference-ui/styled/css/css.js AI (source-diff): Minified CSS utility map (PandaCSS output); readable CSS property abbreviations, not obfuscated malicious code. ai
source-diff obfuscated-file:dist/runtime/reference-ui/styled/jsx/is-valid-prop.js AI (source-diff): Minified CSS prop list (PandaCSS output); content is CSS property names, not obfuscated malicious code. ai
source-diff obfuscated-file:dist/node_modules/@reference-ui/styled/css/css.js AI (source-diff): Long lines are minified CSS utility property maps from a bundled design-system dependency — no malicious patterns, consistent with @reference-ui/styled build output. ai
source-diff obfuscated-file:dist/node_modules/@reference-ui/styled/jsx/is-valid-prop.js AI (source-diff): Long lines are a serialized JSX prop allowlist from a bundled design-system dependency — no malicious patterns, consistent with @reference-ui/styled build output. ai
dependencies unvetted-dep:@material-symbols-svg/react AI (dependencies): @material-symbols-svg/react is the expected upstream dependency for a Material Symbols icon wrapper library. The dependency is semantically appropriate and stable for this package. ai
phantom-deps phantom-dep:@material-symbols-svg/react AI (phantom-deps): Dependency is used at build time via rollup bundling rather than direct source imports; phantom-dep flag is a false positive for this build pattern. ai
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped package @reference-ui/icons is an icon library with no relation to the cors HTTP middleware; Levenshtein match is a false positive for this namespace. ai

Versions (showing 10 of 10)

Version Deps Published
0.0.24 1 / 8
0.0.17 1 / 8
0.0.16 1 / 8
0.0.15 1 / 8
0.0.13 1 / 8
0.0.12 1 / 8
0.0.10 1 / 8
0.0.9 1 / 8
0.0.7 1 / 8
0.0.2 1 / 9

v0.0.24

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.17

3 findings
HIGH New obfuscated file: dist/runtime/reference-ui/styled/css/css.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/runtime/reference-ui/styled/jsx/is-valid-prop.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.9

3 findings
HIGH New obfuscated file: dist/node_modules/@reference-ui/styled/css/css.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/node_modules/@reference-ui/styled/jsx/is-valid-prop.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.7

3 findings
HIGH New obfuscated file: dist/node_modules/@reference-ui/styled/css/css.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/node_modules/@reference-ui/styled/jsx/is-valid-prop.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.