@roofmaxx/form
This document covers both **how to install and configure** the form on any website and **how the form works internally** in full technical detail.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped org package @roofmaxx/form with 99 versions; not a typosquat of cors. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled React component library; react consumed at build time, not directly imported in dist. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Same as react — build-time bundling pattern for this component library. | ai | |
| phantom-deps | phantom-dep:react-use | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-imask | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-popper | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-hook-form | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@headlessui/react | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/forms | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@popperjs/core | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ky | AI (phantom-deps): Build-time bundling pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@roofmaxx/types | AI (phantom-deps): Same-org monorepo sibling; build-time type dependency, stable false positive. | ai | |
| phantom-deps | phantom-dep:@roofmaxx/utils | AI (phantom-deps): Same-org monorepo sibling; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@roofmaxx/tsconfig | AI (phantom-deps): Same-org monorepo sibling tsconfig; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@roofmaxx/components | AI (phantom-deps): Same-org monorepo sibling; stable false positive for this package. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 0.98.0 | 14 / 8 | |
| 0.97.0 | 14 / 8 | |
| 0.96.0 | 14 / 8 | |
| 0.90.0 | 14 / 8 | |
| 0.87.0 | 14 / 8 | |
| 0.84.0 | 14 / 8 | |
| 0.83.0 | 14 / 8 |
v0.98.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.97.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.90.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.87.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.84.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.83.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.