@rh-support/troubleshoot
Pluggable troubleshoot module
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@ifd-ui/ask-redhat-core | AI (dependencies): Internal Red Hat IFD org dependency; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-peer-dep:@cee-eng/ui-toolkit | AI (dependencies): Internal Red Hat/CEE peer dep; stable for this package. | ai | |
| dependencies | unvetted-peer-dep:@cee-eng/hydrajs | AI (dependencies): Internal Red Hat/CEE peer dep; stable for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Long-lived Red Hat org package; maintainer additions reflect normal team management. | ai | |
| dependencies | unvetted-dep:@cee-eng/ui-toolkit | AI (dependencies): Internal Red Hat/CEE scoped package; consistent with this package's org and stable across versions. | ai | |
| dependencies | unvetted-dep:@cee-eng/hydrajs | AI (dependencies): Internal Red Hat/CEE scoped package; consistent with this package's org and stable across versions. | ai | |
| phantom-deps | phantom-dep:i18next | AI (phantom-deps): i18next is a declared peer/runtime dep; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:js-markdown-extra | AI (phantom-deps): Peer dep declared for consumers; not directly imported by this library. | ai | |
| phantom-deps | phantom-dep:@types/react-redux | AI (phantom-deps): Type-only dep; framework-scoped, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-test-renderer | AI (phantom-deps): Peer dep declared for consumers; not directly imported by this library. | ai | |
| phantom-deps | phantom-dep:qs | AI (phantom-deps): Peer dep declared for consumers; not directly imported by this library. | ai | |
| phantom-deps | phantom-dep:@progress/kendo-drawing | AI (phantom-deps): Declared dep used transitively; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@progress/kendo-licensing | AI (phantom-deps): Declared dep used transitively; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@patternfly/patternfly | AI (phantom-deps): Peer dep declared for consumers; not directly imported by this library. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Peer dep declared for consumers; not directly imported by this library. | ai | |
| phantom-deps | phantom-dep:timers | AI (phantom-deps): Declared dep used transitively; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:history | AI (phantom-deps): Declared dep used transitively; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:lazysizes | AI (phantom-deps): Peer dep declared for consumers; not directly imported by this library. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer dep declared for consumers; not directly imported by this library. | ai | |
| phantom-deps | phantom-dep:@types/redux | AI (phantom-deps): Type-only dep; framework-scoped, stable false positive for this package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 2.6.268 | 40 / 17 | |
| 2.6.251 | 40 / 17 | |
| 2.6.209 | 40 / 17 | |
| 2.6.123 | 40 / 17 | |
| 2.6.88 | 40 / 17 | |
| 2.6.83 | 40 / 17 | |
| 2.6.61 | 40 / 19 | |
| 2.6.60 | 40 / 19 | |
| 2.6.55 | 40 / 19 | |
| 2.6.49 | 40 / 19 | |
| 2.6.11 | 39 / 19 | |
| 2.5.45 | 39 / 19 |
v2.6.268
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (bkale) than the most recent previously approved version (anujsi) on 2026-06-04, but bkale is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.6.251
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.209
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.123
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.88
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.83
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.61
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.60
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.55
2 findingsThis version was published by a different npm account than previous versions on 2025-08-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.49
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.45
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.