← Home

@sassoftware/va-report-components

npm Repository Homepage

The SAS Visual Analytics SDK is a set of JavaScript APIs and web components that enable SAS Visual Analytics report content to be easily embedded in a third-party application or web page.

2
Versions
SEE LICENSE IN LICENSE
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

coalmanjefurbeedevakumaraswamyckedwardsrbtleveybrmorrbjtomlinjolynamtlsmcmtlstgryanauldsaskenjacksonmtlhmomartin-coutts-sasromacftimothy.crider-sasdaarthewsken_sasmtlcmcmtlnshtom-mceachan_sasinst

Keywords

SASViyaVisualAnalyticsVASDKVASDKva-sdkVA-SDKreportcomponent

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:zod AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:rxjs AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:axios AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:react AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:redux AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:i18next AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:polished AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:reselect AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:cldr-core AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:react-dnd AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:react-dom AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:classnames AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:memoize-one AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:react-redux AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:react-popper AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:use-memo-one AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:framer-motion AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:react-cropper AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:react-i18next AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai
phantom-deps phantom-dep:@popperjs/core AI (phantom-deps): Bundled package; deps compiled into dist artifacts, not directly imported in analyzable source. ai

Versions (showing 2 of 2)

Version Deps Published
2.34.0 27 / 0
2.33.1 27 / 0

v2.34.0

27 findings
HIGH Phantom dependency: zod phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: rxjs phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: axios phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: redux phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: i18next phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: polished phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: reselect phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: cldr-core phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-dnd phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-dom phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: classnames phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: memoize-one phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-redux phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-popper phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: use-memo-one phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: framer-motion phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-cropper phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-i18next phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @popperjs/core phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-focus-lock phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: redux-observable phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @tanstack/react-query phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @tanstack/react-virtual phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: react-dnd-html5-backend phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @redux-devtools/extension phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.