@soybeanjs/ui
SoybeanUI is built on top of SoybeanHeadless, providing a collection of styled components for Vue 3.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/styles/alert.js | AI (source-diff): Minified CSS-in-JS variant definitions; no malicious code, standard build output for this UI library. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 108 new files are style variant modules matching the @soybeanjs/cva refactor; expected for this UI library. | ai | |
| source-diff | obfuscated-file:dist/styles/navigation-menu.js | AI (source-diff): Minified CSS-in-JS variant definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/styles/menu.js | AI (source-diff): Minified CSS-in-JS variant definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/styles/layout.js | AI (source-diff): Minified CSS-in-JS variant definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/styles/combobox.js | AI (source-diff): Minified CSS-in-JS variant definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/styles/checkbox.js | AI (source-diff): Minified CSS-in-JS variant definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/styles/button.js | AI (source-diff): Minified CSS-in-JS variant definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/styles/autocomplete.js | AI (source-diff): Minified CSS-in-JS variant definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/components/tree-menu/tree-menu-option.js | AI (source-diff): Standard minified Vue component bundle output from tsdown; not obfuscated, just single-line compiled code. | ai | |
| source-diff | obfuscated-file:dist/components/page-tabs/page-tabs.js | AI (source-diff): Standard minified Vue component bundle output from tsdown; not obfuscated, just single-line compiled code. | ai | |
| source-diff | obfuscated-file:dist/components/range-calendar/variants.js | AI (source-diff): Minified tailwind-variants config; fully readable Tailwind CSS class strings, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/components/calendar/calendar.js | AI (source-diff): Standard minified ESM bundle output from tsdown; readable Vue component code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/components/month-picker/variants.js | AI (source-diff): Minified tailwind-variants config; fully readable Tailwind CSS class strings, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/components/month-range-picker/variants.js | AI (source-diff): Minified tailwind-variants config; fully readable Tailwind CSS class strings, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/components/year-picker/variants.js | AI (source-diff): Minified tailwind-variants config; fully readable Tailwind CSS class strings, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/components/year-range-picker/variants.js | AI (source-diff): Minified tailwind-variants config; fully readable Tailwind CSS class strings, no obfuscation. | ai | |
| dependencies | unvetted-dep:@soybeanjs/hooks | AI (dependencies): Same-org dependency from the soybeanjs ecosystem; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@soybeanjs/utils | AI (dependencies): Same-org dependency from the soybeanjs ecosystem; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@soybeanjs/colord | AI (dependencies): Same-org dependency from the soybeanjs ecosystem; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@soybeanjs/shadcn-theme | AI (dependencies): Same-org dependency from the soybeanjs ecosystem; consistent across all versions. | ai | |
| phantom-deps | phantom-dep:@soybeanjs/colord | AI (phantom-deps): Same-org package; likely re-exported or used indirectly through other soybeanjs deps rather than directly imported. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): Vue composables dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:valibot | AI (phantom-deps): Form validation peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:fuse.js | AI (phantom-deps): Search utility dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:clsx | AI (phantom-deps): Utility dep referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@formkit/auto-animate | AI (phantom-deps): Animation dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Peer/optional dependency pattern for form validation; stable for this UI library. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped package @soybeanjs/ui; not a typosquat of yup. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped package @soybeanjs/ui; not a typosquat of uuid. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @soybeanjs/ui; not a typosquat of joi. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @soybeanjs/ui; not a typosquat of qs. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @soybeanjs/ui; not a typosquat of pg. | ai | |
| phantom-deps | phantom-dep:@soybeanjs/utils | AI (phantom-deps): Same-org dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): CSS utility dep; stable false positive for this package. | ai |
Versions (showing 51 of 83)
| Version | Deps | Published |
|---|---|---|
| 0.17.0 | 14 / 32 | |
| 0.16.0 | 14 / 32 | |
| 0.15.5 | 14 / 32 | |
| 0.15.3 | 14 / 32 | |
| 0.15.1 | 14 / 32 | |
| 0.11.4 | 11 / 30 | |
| 0.11.3 | 11 / 30 | |
| 0.11.2 | 11 / 30 | |
| 0.11.1 | 11 / 30 | |
| 0.11.0 | 11 / 30 | |
| 0.10.6 | 11 / 30 | |
| 0.10.5 | 11 / 30 | |
| 0.10.3 | 11 / 30 | |
| 0.10.1 | 11 / 30 | |
| 0.10.0 | 11 / 30 | |
| 0.9.4 | 11 / 30 | |
| 0.9.3 | 11 / 30 | |
| 0.9.2 | 11 / 30 | |
| 0.9.1 | 11 / 29 | |
| 0.7.1 | 11 / 27 | |
| 0.7.0 | 11 / 27 | |
| 0.6.6 | 11 / 27 | |
| 0.6.5 | 11 / 27 | |
| 0.6.4 | 11 / 27 | |
| 0.6.3 | 11 / 27 | |
| 0.6.1 | 11 / 27 | |
| 0.6.0 | 11 / 27 | |
| 0.5.9 | 11 / 27 | |
| 0.5.8 | 11 / 27 | |
| 0.5.7 | 11 / 27 | |
| 0.5.6 | 11 / 27 | |
| 0.5.5 | 11 / 27 | |
| 0.5.4 | 11 / 27 | |
| 0.5.3 | 11 / 27 | |
| 0.5.2 | 11 / 27 | |
| 0.5.1 | 11 / 27 | |
| 0.5.0 | 11 / 27 | |
| 0.4.6 | 11 / 27 | |
| 0.4.5 | 11 / 27 | |
| 0.4.4 | 11 / 27 | |
| 0.4.3 | 11 / 27 | |
| 0.4.2 | 11 / 27 | |
| 0.4.1 | 11 / 27 | |
| 0.4.0 | 11 / 27 | |
| 0.3.3 | 11 / 25 | |
| 0.3.2 | 11 / 25 | |
| 0.3.1 | 11 / 25 | |
| 0.3.0 | 11 / 27 | |
| 0.2.8 | 11 / 27 | |
| 0.2.7 | 11 / 27 | |
| 0.2.6 | 11 / 27 |
v0.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.