@servicetitan/anvil2 — Greenflagged

<h1 align="center"> Anvil2 React Library </h1>

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

st-teamrgdelatojesspkarpoffseanmadidextersealy

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/RichTextEditor-DstVbYch.js	AI (source-diff): Standard Vite-minified bundle; long lines are from bundled deps, not obfuscation. Stable pattern for this package.	ai	2026/05/27
source-diff	obfuscated-file:dist/RichTextEditor-DUz-bi8H.js	AI (source-diff): Standard Vite-minified bundle for RichTextEditor; readable imports confirm legitimate UI component code.	ai	2026/05/06
phantom-deps	phantom-dep:@tiptap/extension-placeholder	AI (phantom-deps): Tiptap extension suite; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/extension-text-style	AI (phantom-deps): Tiptap extension suite; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/extension-text-align	AI (phantom-deps): Tiptap extension suite; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/extension-task-list	AI (phantom-deps): Tiptap extension suite; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/extension-task-item	AI (phantom-deps): Tiptap extension suite; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/extension-image	AI (phantom-deps): Tiptap extension suite; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/starter-kit	AI (phantom-deps): Same as above — tiptap suite bundled together.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/pm	AI (phantom-deps): Bundled tiptap deps may be consumed transitively; phantom-dep false positive for this package.	ai	2026/04/30
phantom-deps	phantom-dep:@tiptap/extension-drag-handle-react	AI (phantom-deps): Tiptap extension suite; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:flubber	AI (phantom-deps): Bundled UI component library; flubber is a legitimate shape-morphing dep that may be consumed via bundled output rather than direct import. Consistent with other accepted phantom deps in this package.	ai	2026/04/27
phantom-deps	phantom-dep:focus-trap-react	AI (phantom-deps): focus-trap-react is a legitimate runtime dep for a UI component library (modal/dialog focus management); phantom-dep heuristic is a false positive here.	ai	2026/04/27
publish-pattern	dormant-publish	AI (publish-pattern): The gap is between v1.48.0 and v2.6.1 (major version bump). 433 versions in registry confirms active development; dormancy signal is a false positive for a major version transition.	ai	2026/04/27
phantom-deps	phantom-dep:@react-hook/resize-observer	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:uuid	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:big.js	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:motion	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:classnames	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:tinycolor2	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:react-window	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@types/big.js	AI (phantom-deps): Framework-scoped package loaded by convention; stable for this package.	ai	2026/04/26
phantom-deps	phantom-dep:@maskito/react	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@dnd-kit/sortable	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@dnd-kit/utilities	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@react-hook/merged-ref	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@tanstack/react-virtual	AI (phantom-deps): Phantom dep in config/build context; typical for established UI libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@servicetitan/anvil-fonts	AI (phantom-deps): Same org scope as this package; loaded by convention.	ai	2026/04/26
phantom-deps	phantom-dep:@servicetitan/hammer-icon	AI (phantom-deps): Same org scope as this package; loaded by convention.	ai	2026/04/26
dependencies	unvetted-dep:@types/big.js	AI (dependencies): @types/big.js is a DefinitelyTyped type definition package; no security risk.	ai	2026/04/26
dependencies	unvetted-dep:@servicetitan/hammer-token	AI (dependencies): Same-org package from ServiceTitan; consistent with the design system's token dependency.	ai	2026/04/26
dependencies	unvetted-dep:@servicetitan/hammer-icon	AI (dependencies): Same-org package from ServiceTitan; consistent with the design system's icon dependency.	ai	2026/04/26
dependencies	unvetted-dep:@servicetitan/anvil-fonts	AI (dependencies): Same-org package from ServiceTitan; consistent with the design system's font assets dependency.	ai	2026/04/26
dependencies	unvetted-dep:@react-hook/resize-observer	AI (dependencies): @react-hook/resize-observer is an established React utility hook; no security risk.	ai	2026/04/26
dependencies	unvetted-dep:@react-hook/merged-ref	AI (dependencies): @react-hook/merged-ref is an established React utility hook; no security risk.	ai	2026/04/26
dependencies	unvetted-dep:@maskito/react	AI (dependencies): @maskito/react is a legitimate React binding for the maskito library; no security risk.	ai	2026/04/26
dependencies	unvetted-dep:@maskito/core	AI (dependencies): @maskito/core is a legitimate, well-maintained input masking library; no security risk.	ai	2026/04/26
dependencies	unvetted-dep:@maskito/kit	AI (dependencies): @maskito/kit is a legitimate, well-maintained input masking library; no security risk for this UI component library.	ai	2026/04/26
provenance	no-provenance	AI (provenance): Established 742-day-old package with 433 versions; lack of provenance is common and not a risk signal for this package.	ai	2026/04/25

Versions (showing 50 of 50)

Version	Deps	Published
3.0.7	43 / 42	2026-05-26
3.0.6	43 / 42	2026-05-18
3.0.5	43 / 42	2026-05-13
3.0.4	43 / 42	2026-05-08
3.0.3	43 / 42	2026-04-30
3.0.2	43 / 42	2026-04-28
3.0.1	29 / 41	2026-04-24
3.0.0	29 / 41	2026-04-21
2.9.6	29 / 41	2026-05-07
2.9.5	29 / 41	2026-05-07
2.9.4	29 / 41	2026-04-28
2.9.3	29 / 41	2026-04-25
2.9.2	29 / 41	2026-04-22
2.9.1	29 / 41	2026-04-21
2.9.0	29 / 41	2026-04-17
2.8.0	30 / 42	2026-04-14
2.7.1	29 / 41	2026-04-02
2.7.0	29 / 41	2026-03-30
2.6.1	29 / 40	2026-03-24
2.6.0	29 / 40	2026-03-23
2.5.1	29 / 40	2026-03-13
2.5.0	29 / 40	2026-03-13
2.4.0	29 / 40	2026-03-12
2.3.0	29 / 40	2026-03-10
2.2.0	29 / 39	2026-03-05
2.1.0	29 / 39	2026-02-23
2.0.4	29 / 39	2026-02-17
2.0.3	29 / 39	2026-02-11
2.0.2	29 / 39	2026-02-03
2.0.1	29 / 39	2026-01-28
2.0.0	29 / 39	2026-01-23
1.52.0	29 / 39	2026-01-23
1.51.0	29 / 39	2026-01-21
1.50.2	28 / 39	2026-01-08
1.50.1	28 / 39	2025-12-22
1.50.0	28 / 39	2025-12-19
1.49.7	28 / 39	2025-12-16
1.49.6	28 / 39	2025-12-10
1.49.5	28 / 39	2025-12-09
1.49.4	28 / 39	2025-12-03
1.49.3	28 / 39	2025-11-26
1.49.2	28 / 39	2025-11-25
1.49.1	28 / 39	2025-11-24
1.49.0	28 / 39	2025-11-21
1.48.1	27 / 39	2025-11-14
1.48.0	27 / 39	2025-11-12
1.47.1	27 / 39	2025-11-04
1.47.0	27 / 39	2025-11-04
1.46.11	27 / 39	2025-10-30
1.46.10	27 / 39	2025-10-28

v3.0.7

2 findings

HIGH New obfuscated file: dist/RichTextEditor-DstVbYch.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.6

2 findings

HIGH New obfuscated file: dist/RichTextEditor-DstVbYch.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

2 findings

HIGH New obfuscated file: dist/RichTextEditor-DUz-bi8H.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.9.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.9.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.8.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.52.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.51.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.50.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.50.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.50.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.49.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.48.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.48.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.47.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.47.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.46.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.46.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.