@sonamu-kit/react-components
shadcn/ui + tailwindcss + tanstack-router 통합 패키지
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): react-file-icon is a legitimate, established UI library; addition is benign in context of this component package. | ai | |
| provenance | missing-githead | AI (provenance): CI/CD publish environments often omit gitHead; SLSA attestation provides stronger provenance signal. | ai | |
| phantom-deps | phantom-dep:qs | AI (phantom-deps): UI component library; deps used transitively or re-exported, not directly imported in analyzed files. | ai | |
| phantom-deps | phantom-dep:cmdk | AI (phantom-deps): UI component library; deps used transitively or re-exported, not directly imported in analyzed files. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI with SLSA attestation; legitimate automation change for this package. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): UI component library; deps used transitively or re-exported, not directly imported in analyzed files. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): UI component library; deps used transitively or re-exported, not directly imported in analyzed files. | ai | |
| phantom-deps | phantom-dep:fast-deep-equal | AI (phantom-deps): UI component library; deps used transitively or re-exported, not directly imported in analyzed files. | ai | |
| phantom-deps | phantom-dep:radashi | AI (phantom-deps): UI component library; deps used transitively or re-exported, not directly imported in analyzed files. | ai | |
| phantom-deps | phantom-dep:@types/qs | AI (phantom-deps): TypeScript type packages are commonly declared without direct imports; no security concern. | ai | |
| phantom-deps | phantom-dep:inflection | AI (phantom-deps): Referenced in config files; common pattern for component libraries that expose utilities to consumers. | ai | |
| dependencies | unvetted-dep:radashi | AI (dependencies): radashi is a legitimate, well-known utility library; its use in a React component library is appropriate and not a security concern. | ai | |
| phantom-deps | phantom-dep:@hookform/resolvers | AI (phantom-deps): Form library helper referenced in config; common pattern for UI component libraries with form support. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-select | AI (phantom-deps): Radix UI component referenced in config files; legitimate pattern for component library configuration. | ai | |
| phantom-deps | phantom-dep:next-themes | AI (phantom-deps): Theme utility referenced in config; common pattern for UI libraries supporting theming. | ai | |
| dependencies | unvetted-dep:@types/qs | AI (dependencies): @types/qs is a standard TypeScript type definition package for qs; no security risk. | ai | |
| dependencies | unvetted-dep:input-otp | AI (dependencies): input-otp is a legitimate React OTP input component; appropriate for a UI component library. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): Radix UI is a well-known, widely-used headless UI library; standard dependency for React component libraries. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-dialog | AI (dependencies): Radix UI is a well-known, widely-used headless UI library; standard dependency for React component libraries. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-select | AI (dependencies): Radix UI is a well-known, widely-used headless UI library; standard dependency for React component libraries. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-tooltip | AI (dependencies): Radix UI is a well-known, widely-used headless UI library; standard dependency for React component libraries. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-hover-card | AI (dependencies): Radix UI is a well-known, widely-used headless UI library; standard dependency for React component libraries. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-dropdown-menu | AI (dependencies): Radix UI is a well-known, widely-used headless UI library; standard dependency for React component libraries. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.4.3 | 49 / 24 | |
| 0.4.2 | 48 / 23 | |
| 0.4.1 | 48 / 23 | |
| 0.3.4 | 48 / 23 | |
| 0.3.3 | 48 / 23 | |
| 0.3.1 | 48 / 23 | |
| 0.1.9 | 48 / 17 | |
| 0.1.7 | 48 / 16 | |
| 0.1.5 | 48 / 15 | |
| 0.1.2 | 48 / 15 | |
| 0.1.1 | 48 / 15 | |
| 0.1.0 | 48 / 11 |
v0.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2025-12-30. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.