@sps-woodland/rich-text-editor

SPS Design System rich text editor component

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

spsc_cafmacybuanjimthedevknedevspschrisndev

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:lib/index-CrCZYukE.js	AI (source-diff): Vite build output; readable imports confirm legitimate bundled React component, not obfuscation.	ai	2026/06/01
source-diff	obfuscated-file:lib/index-mwtWTZtq.js	AI (source-diff): Vite-hashed bundle output; sample shows plain React component code, not obfuscation. Pattern recurs across versions of this build-tool-based package.	ai	2026/06/01
source-diff	obfuscated-file:lib/index-C9vi4hTb.js	AI (source-diff): Vite build output; minified but not obfuscated — readable imports visible at file head. Stable pattern for this package.	ai	2026/06/01
source-diff	obfuscated-file:lib/index-CWfrZLjh.js	AI (source-diff): Standard Vite build output; long lines are minified bundle, not obfuscation. Stable pattern for this package.	ai	2026/05/31
source-diff	obfuscated-file:lib/index-Dh9i9B_l.js	AI (source-diff): Vite-minified bundle for a React component; consistent pattern across this package's versions.	ai	2026/05/30
source-diff	obfuscated-file:lib/index-C5KKNt05.js	AI (source-diff): Vite build output; minified but readable React component code from the SPS woodland design system.	ai	2026/05/30
source-diff	obfuscated-file:lib/index-_7vZbbBA.js	AI (source-diff): Vite build output; long lines are minified bundle chunks, not obfuscation. Stable pattern for this package.	ai	2026/05/28
source-diff	obfuscated-file:lib/index-CuDgjmya.js	AI (source-diff): Vite-bundled output with readable imports; minified line length, not obfuscation. Stable pattern for this package.	ai	2026/05/28
source-diff	obfuscated-file:lib/index-C5PJE3OS.js	AI (source-diff): Standard Vite minified bundle output; readable imports confirm legitimate build artifact, not obfuscation.	ai	2026/05/28
source-diff	obfuscated-file:lib/index-DEoJY9vf.js	AI (source-diff): Vite build output; minified but readable imports confirm legitimate bundling pattern for this design system package.	ai	2026/05/28
source-diff	obfuscated-file:lib/index-GQbLxiWp.js	AI (source-diff): Standard Vite build output; minified but readable imports confirm legitimate bundling pattern for this package.	ai	2026/05/24
source-diff	obfuscated-file:lib/index-tCCJeGu9.js	AI (source-diff): Vite build output for a React component; minified but readable imports confirm legitimate bundled source.	ai	2026/05/18
phantom-deps	phantom-dep:@spscommerce/i18n	AI (phantom-deps): Internal i18n dependency; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:unist-util-visit	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:remark-stringify	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:rehype-stringify	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:rehype-sanitize	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:remark-rehype	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:rehype-remark	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:rehype-parse	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02
phantom-deps	phantom-dep:remark-parse	AI (phantom-deps): Remark/rehype pipeline dependencies; used in config, not direct imports.	ai	2026/05/02

Versions (showing 51 of 96)

View all versions

Version	Deps	Published
8.46.7	10 / 9	2026-05-28
8.46.6	10 / 9	2026-05-27
8.46.5	10 / 9	2026-05-26
8.46.4	10 / 9	2026-05-20
8.46.3	10 / 9	2026-05-20
8.46.2	10 / 9	2026-05-19
8.46.1	10 / 9	2026-05-19
8.46.0	10 / 9	2026-05-18
8.45.8	10 / 9	2026-05-13
8.45.7	10 / 9	2026-05-12
8.45.6	10 / 9	2026-05-11
8.45.5	10 / 9	2026-05-06
8.45.4	10 / 9	2026-04-30
8.45.3	10 / 9	2026-04-30
8.45.2	10 / 9	2026-04-30
8.45.1	10 / 9	2026-04-30
8.45.0	10 / 9	2026-04-29
8.44.1	10 / 9	2026-04-15
8.44.0	10 / 9	2026-04-14
8.43.1	10 / 9	2026-04-07
8.43.0	10 / 9	2026-03-31
8.42.7	10 / 9	2026-03-20
8.42.6	10 / 9	2026-03-20
8.42.5	10 / 9	2026-03-18
8.42.4	10 / 9	2026-03-18
8.42.3	10 / 9	2026-03-18
8.42.2	10 / 9	2026-03-17
8.42.1	10 / 9	2026-03-16
8.42.0	10 / 9	2026-03-16
8.41.4	10 / 9	2026-03-13
8.41.3	10 / 9	2026-03-09
8.41.2	10 / 9	2026-02-27
8.41.1	10 / 9	2026-02-27
8.41.0	10 / 9	2026-02-27
8.40.0	10 / 9	2026-02-26
8.39.0	10 / 9	2026-02-18
8.38.2	10 / 9	2026-02-17
8.38.1	10 / 9	2026-02-16
8.38.0	10 / 9	2026-02-13
8.37.8	10 / 9	2026-02-12
8.37.7	10 / 9	2026-02-02
8.37.6	10 / 9	2026-01-27
8.37.5	10 / 9	2026-01-27
8.37.4	10 / 9	2026-01-23
8.37.3	10 / 9	2026-01-22
8.37.2	10 / 9	2025-12-17
8.37.1	10 / 9	2025-12-04
8.37.0	10 / 9	2025-11-19
8.36.0	10 / 9	2025-11-07
8.35.6	10 / 9	2025-10-21
8.35.5	10 / 9	2025-10-21

v8.46.7

2 findings

HIGH New obfuscated file: lib/index-CWfrZLjh.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.