@scalar/components
Scalars component library
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): 35 new files consistent with component library expansion across 2 minor versions; no obfuscation signals present. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @headlessui/tailwindcss is a legitimate Tailwind plugin from the headlessui org, consistent with new build:styles script. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Same as above — paired add/remove strongly suggests username rename, not account compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): amritk appears to be a rename of amritkahlon; simultaneous add+remove pattern indicates username change, not takeover. | ai | |
| phantom-deps | phantom-dep:pretty-bytes | AI (phantom-deps): Build-time dependency; phantom-dep heuristic is not authoritative for this package. | ai | |
| phantom-deps | phantom-dep:@scalar/use-toasts | AI (phantom-deps): Monorepo internal dependency; same org scope, expected pattern for @scalar/* packages. | ai | |
| phantom-deps | phantom-dep:@vueless/storybook-dark-mode | AI (phantom-deps): Config-file reference; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@scalar/use-hooks | AI (dependencies): Same org scope (@scalar); sibling package in the monorepo. | ai | |
| dependencies | unvetted-dep:@scalar/themes | AI (dependencies): Same org scope (@scalar); sibling package in the monorepo. | ai | |
| dependencies | unvetted-dep:@scalar/icons | AI (dependencies): Same org scope (@scalar); sibling package in the monorepo. | ai | |
| dependencies | unvetted-dep:cva | AI (dependencies): cva is a well-known class-variance-authority utility; stable dependency for this UI component library. | ai | |
| phantom-deps | phantom-dep:@scalar/themes | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic is a stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:vue-component-type-helpers | AI (phantom-deps): Referenced in config/type files; not a runtime import — stable false positive for this package. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 0.26.1 | 15 / 19 | |
| 0.24.1 | 14 / 19 | |
| 0.24.0 | 14 / 19 | |
| 0.23.0 | 14 / 19 | |
| 0.22.5 | 14 / 19 | |
| 0.22.3 | 14 / 19 | |
| 0.22.2 | 14 / 19 | |
| 0.21.3 | 14 / 19 | |
| 0.21.2 | 15 / 18 | |
| 0.20.10 | 15 / 18 | |
| 0.19.12 | 16 / 19 | |
| 0.17.6 | 16 / 19 | |
| 0.17.1 | 16 / 19 | |
| 0.16.30 | 16 / 19 | |
| 0.16.22 | 17 / 18 | |
| 0.16.15 | 17 / 18 | |
| 0.16.11 | 17 / 24 | |
| 0.16.4 | 17 / 24 | |
| 0.16.3 | 17 / 24 | |
| 0.16.0 | 17 / 24 | |
| 0.14.29 | 17 / 24 | |
| 0.14.17 | 15 / 23 | |
| 0.13.58 | 14 / 26 |
v0.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.24.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.58
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.