@reltio/components — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

egorshkovvitaly.gerasevalexander.leshukovreltio-ui-coemanpreet_hayerandrew.borovin.reltioamith.ravuru

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-peer-dep:ui-i18n	AI (dependencies): Internal Reltio peer dep sourced from Bitbucket; stable pattern for this package.	ai	2026/05/15
dependencies	unvetted-peer-dep:react-components	AI (dependencies): Internal Reltio peer dep sourced from Bitbucket; stable pattern for this package.	ai	2026/05/15
dependencies	unvetted-dep:react-mentions	AI (dependencies): Stable UI library dependency; no malware signals; consistent with component library use case.	ai	2026/05/15
publish-pattern	dormant-publish	AI (publish-pattern): High-version-count org package with 14 approved-dep edges; dormancy likely reflects internal release cadence, not takeover.	ai	2026/05/15
dependencies	unvetted-dep:@reltio/mdm-sdk	AI (dependencies): Same org namespace (@reltio); expected internal dependency.	ai	2026/05/15
dependencies	unvetted-dep:@react-sigma/core	AI (dependencies): Known graph visualization library; consistent with package's graph/sigma dependencies.	ai	2026/05/15
provenance	no-provenance	AI (provenance): No provenance across all 1551 versions; org hasn't adopted Sigstore — stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:react-dnd-html5-backend	AI (phantom-deps): react-dnd-html5-backend is a declared runtime dep used as a backend plugin, may not be directly imported in analyzed files.	ai	2026/04/30
npm-metadata	no-description	AI (npm-metadata): Consistent across all versions of this org package; not indicative of malicious intent.	ai	2026/04/30
bogus-package	bogus-package	AI (bogus-package): Established org package with 1551 versions; missing metadata is a style issue, not a spam/malware signal.	ai	2026/04/30

Versions (showing 16 of 16)

Version	Deps	Published
1.4.2270	35 / 0	2026-06-03
1.4.2269	35 / 0	2026-06-03
1.4.2268	35 / 0	2026-05-28
1.4.2267	35 / 0	2026-05-28
1.4.2266	35 / 0	2026-05-25
1.4.2265	35 / 0	2026-05-21
1.4.2264	35 / 0	2026-05-19
1.4.2263	35 / 0	2026-05-19
1.4.2261	35 / 0	2026-05-07
1.4.2260	35 / 0	2026-05-07
1.4.2259	35 / 0	2026-05-07
1.4.2258	35 / 0	2026-04-30
1.4.2257	35 / 0	2026-04-28
1.4.2255	35 / 0	2026-04-23
1.4.2254	35 / 0	2026-04-23
1.4.2247	35 / 0	2026-04-02

v1.4.2270

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2269

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2268

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2267

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2266

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2265

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2264

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2263

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2261

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2260

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2259

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2258

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2257

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.2255

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.2254

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.2247

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.