@refinedev/devtools-server
refine devtools offers a set of features from monitoring to quickly prototyping a UI.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:react | AI (phantom-deps): Peer dependency; correctly declared in peerDependencies. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer dependency; correctly declared in peerDependencies. | ai | |
| phantom-deps | phantom-dep:boxen | AI (phantom-deps): Runtime dependency; declared and used in CLI output formatting. | ai | |
| phantom-deps | phantom-dep:body-parser | AI (phantom-deps): Runtime dependency; declared and used in Express server setup. | ai | |
| phantom-deps | phantom-dep:jscodeshift | AI (phantom-deps): Runtime dependency; declared and used for code transformation. | ai | |
| phantom-deps | phantom-dep:error-stack-parser | AI (phantom-deps): Runtime dependency; declared and used for error handling. | ai | |
| phantom-deps | phantom-dep:http-proxy-middleware | AI (phantom-deps): Runtime dependency; declared and used in Express middleware. | ai |
v2.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.