@smg-automotive/components

SMG Automotive components library

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

smg-automotive-engineering

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Long-established package with consistent publish history; lack of Sigstore attestation is a process gap, not a security signal here.	ai	2026/05/21
dependencies	unvetted-dep:@smg-automotive/i18n-pkg	AI (dependencies): Same-org scoped package from a publisher with a clean track record; stable pattern for this library.	ai	2026/05/21
dependencies	unvetted-dep:@smg-automotive/phrase-pkg	AI (dependencies): Same-org scoped package from a publisher with a clean track record; stable pattern for this library.	ai	2026/05/21
phantom-deps	phantom-dep:yargs	AI (phantom-deps): Package ships a CLI bin; yargs is used in the CLI entry point, not necessarily imported in analyzed source files.	ai	2026/05/14
phantom-deps	phantom-dep:fs-extra	AI (phantom-deps): Used in CLI/build tooling scripts; phantom-dep heuristic fires due to config-file references.	ai	2026/05/14
phantom-deps	phantom-dep:framer-motion	AI (phantom-deps): framer-motion is a runtime dep used by components; phantom-dep heuristic fires due to indirect import patterns in a component library.	ai	2026/05/14
phantom-deps	phantom-dep:merge-json-file	AI (phantom-deps): Used in build/CLI tooling; phantom-dep heuristic fires due to config-file references.	ai	2026/05/14
phantom-deps	phantom-dep:@types/fs-extra	AI (phantom-deps): Type-only package; stable false positive for this component library.	ai	2026/05/14
phantom-deps	phantom-dep:globals	AI (phantom-deps): Referenced in ESLint config files; stable false positive for this package.	ai	2026/05/14
phantom-deps	phantom-dep:@emotion/styled	AI (phantom-deps): Chakra UI component library pattern; @emotion/styled is a runtime dep used transitively via Chakra.	ai	2026/05/14
phantom-deps	phantom-dep:@smg-automotive/phrase-pkg	AI (phantom-deps): Same-org package; phantom-dep heuristic fires due to config-file references rather than direct imports.	ai	2026/05/14

Versions (showing 27 of 27)

Version	Deps	Published
25.29.0	18 / 66	2026-06-08
25.28.0	18 / 66	2026-05-28
25.27.0	18 / 66	2026-05-20
25.26.3	18 / 66	2026-05-19
25.26.2	18 / 66	2026-05-13
25.26.1	18 / 66	2026-05-08
25.26.0	18 / 66	2026-05-07
25.25.0	18 / 66	2026-05-07
25.24.0	18 / 66	2026-04-28
25.22.4	18 / 64	2026-04-08
25.21.1	18 / 64	2026-03-23
25.19.1	18 / 64	2026-03-16
25.18.1	18 / 64	2026-03-16
25.18.0	18 / 64	2026-03-09
25.17.1	18 / 64	2026-03-09
25.13.0	18 / 64	2026-02-03
25.12.2	18 / 64	2026-01-27
25.10.4	18 / 64	2026-01-16
25.8.0	18 / 66	2025-11-07
25.4.3	18 / 66	2025-10-22
25.4.0	18 / 66	2025-10-14
25.1.3	18 / 66	2025-10-07
25.1.2	18 / 66	2025-10-07
25.0.5	18 / 66	2025-09-17
25.0.4	18 / 66	2025-09-15
25.0.3	18 / 66	2025-09-10
25.0.0	18 / 66	2025-09-03

v25.29.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.28.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.27.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.