@soybeanjs/headless
SoybeanHeadless is a collection unstyled components for Vue 3. It is designed to be lightweight and easy to use.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @standard-schema/spec is a legitimate, widely-used schema spec package; not a suspicious dependency. | ai | |
| source-diff | obfuscated-file:dist/components/select/select-item-aligned-positioner.js | AI (source-diff): Minified ES module bundle output; code is readable Vue/JS logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/components/calendar-range/calendar-range-cell-trigger.js | AI (source-diff): Standard minified Vue component build output; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:dist/components/color-picker/color-picker-compact.js | AI (source-diff): Standard minified Vue component build output; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:dist/components/calendar-range/calendar-range-root.js | AI (source-diff): Standard minified Vue component build output; no malicious patterns in samples. | ai | |
| source-diff | obfuscated-file:dist/components/calendar-range/calendar-range-compact.js | AI (source-diff): Standard minified Vue component build output; no malicious patterns in samples. | ai | |
| phantom-deps | phantom-dep:embla-carousel-reactive-utils | AI (phantom-deps): Carousel utility dep used via config/re-export pattern consistent with this package's structure. | ai | |
| phantom-deps | phantom-dep:@formkit/auto-animate | AI (phantom-deps): UI component library; deps referenced in config/re-exports, not direct imports — consistent with package pattern. | ai | |
| source-diff | obfuscated-file:dist/components/calendar/calendar-compact.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/bottom-sheet/bottom-sheet-compact.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/calendar/calendar-cell-trigger.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/calendar/calendar-root.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/bottom-sheet/context.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/date-field/date-field-root.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/date-picker/date-picker-root.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/date-range-field/date-range-field-root.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/date-range-picker/date-range-picker-root.js | AI (source-diff): Standard minified ESM build output for a Vue component library; no malicious patterns. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large version jump adding new components; consistent with legitimate library growth. | ai | |
| phantom-deps | phantom-dep:@vueuse/integrations | AI (phantom-deps): Config-referenced dependency; stable pattern for this Vue utility library. | ai | |
| phantom-deps | phantom-dep:@standard-schema/spec | AI (phantom-deps): Config-referenced schema spec; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@internationalized/date | AI (phantom-deps): Config-referenced i18n dependency; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@soybeanjs/colord | AI (dependencies): Same org scoped package (@soybeanjs); consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@vueuse/router | AI (dependencies): @vueuse/router is a well-known VueUse ecosystem package; stable false positive for this Vue component library. | ai | |
| phantom-deps | phantom-dep:defu | AI (phantom-deps): Component library utility dep; referenced in config/build, not a direct import pattern. | ai | |
| phantom-deps | phantom-dep:@internationalized/number | AI (phantom-deps): Internationalization dep; config-referenced, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): Core VueUse dep; referenced in config, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@vueuse/router | AI (phantom-deps): VueUse router dep; referenced in config, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:aria-hidden | AI (phantom-deps): Accessibility utility; likely used indirectly via component internals. | ai | |
| phantom-deps | phantom-dep:@vue/shared | AI (phantom-deps): Framework-scoped package loaded by convention in Vue component libraries. | ai | |
| phantom-deps | phantom-dep:ohash | AI (phantom-deps): Config-referenced utility; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:klona | AI (phantom-deps): Same pattern — config-referenced utility, stable false positive for this package. | ai |
Versions (showing 51 of 104)
| Version | Deps | Published |
|---|---|---|
| 0.20.0 | 19 / 9 | |
| 0.19.0 | 19 / 9 | |
| 0.17.0 | 17 / 9 | |
| 0.16.0 | 17 / 9 | |
| 0.15.3 | 17 / 9 | |
| 0.15.2 | 17 / 9 | |
| 0.15.1 | 17 / 9 | |
| 0.13.8 | 15 / 9 | |
| 0.13.7 | 15 / 9 | |
| 0.13.6 | 15 / 9 | |
| 0.13.5 | 15 / 9 | |
| 0.13.4 | 15 / 9 | |
| 0.13.3 | 15 / 9 | |
| 0.13.2 | 15 / 9 | |
| 0.13.1 | 15 / 9 | |
| 0.13.0 | 15 / 9 | |
| 0.12.4 | 15 / 9 | |
| 0.12.3 | 15 / 9 | |
| 0.12.2 | 15 / 9 | |
| 0.12.1 | 15 / 9 | |
| 0.12.0 | 15 / 9 | |
| 0.11.4 | 15 / 9 | |
| 0.11.3 | 15 / 9 | |
| 0.11.2 | 15 / 9 | |
| 0.11.1 | 15 / 9 | |
| 0.11.0 | 15 / 9 | |
| 0.10.6 | 15 / 9 | |
| 0.10.5 | 15 / 9 | |
| 0.10.3 | 15 / 9 | |
| 0.10.1 | 15 / 9 | |
| 0.10.0 | 15 / 9 | |
| 0.9.4 | 15 / 9 | |
| 0.9.3 | 15 / 9 | |
| 0.9.2 | 15 / 9 | |
| 0.9.1 | 15 / 9 | |
| 0.9.0 | 15 / 9 | |
| 0.8.1 | 15 / 9 | |
| 0.8.0 | 15 / 9 | |
| 0.7.1 | 15 / 9 | |
| 0.7.0 | 15 / 9 | |
| 0.6.6 | 15 / 9 | |
| 0.6.5 | 15 / 9 | |
| 0.6.4 | 15 / 9 | |
| 0.6.3 | 15 / 9 | |
| 0.6.2 | 15 / 9 | |
| 0.6.1 | 15 / 9 | |
| 0.6.0 | 15 / 9 | |
| 0.5.9 | 15 / 9 | |
| 0.5.8 | 15 / 9 | |
| 0.5.7 | 15 / 9 | |
| 0.5.6 | 15 / 9 |
v0.20.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.0
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.