@spscommerce/ds-react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:axe-prop-types | AI (dependencies): axe-prop-types is a known accessibility utility; stable dependency for this design system package. | ai | |
| provenance | no-provenance | AI (provenance): Long-established package with 825 versions; no provenance has been a consistent pattern. | ai | |
| license | uncommon-license:UNLICENSED | AI (license): Proprietary internal SPS Commerce design system; UNLICENSED is intentional and consistent across versions. | ai | |
| phantom-deps | phantom-dep:axe-prop-types | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:tiny-invariant | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-aria/tabs | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-aria/focus | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-aria/utils | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-aria/button | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:clsx | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-aria/listbox | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-stately/list | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-aria/overlays | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:lodash.isplainobject | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-stately/select | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:scroll-into-view-if-needed | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:@react-aria/select | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): Bundled component library; deps consumed via build, not direct imports. | ai |
Versions (showing 97 of 97)
| Version | Deps | Published |
|---|---|---|
| 8.47.0 | 18 / 24 | |
| 8.46.7 | 18 / 24 | |
| 8.46.6 | 18 / 24 | |
| 8.46.5 | 18 / 24 | |
| 8.46.4 | 18 / 24 | |
| 8.46.3 | 18 / 24 | |
| 8.46.2 | 18 / 24 | |
| 8.46.1 | 18 / 24 | |
| 8.46.0 | 18 / 24 | |
| 8.45.8 | 18 / 24 | |
| 8.45.7 | 18 / 24 | |
| 8.45.6 | 18 / 24 | |
| 8.45.5 | 18 / 24 | |
| 8.45.4 | 18 / 26 | |
| 8.45.3 | 18 / 26 | |
| 8.45.2 | 18 / 26 | |
| 8.45.1 | 18 / 26 | |
| 8.45.0 | 18 / 26 | |
| 8.44.1 | 18 / 26 | |
| 8.44.0 | 18 / 26 | |
| 8.43.1 | 18 / 26 | |
| 8.43.0 | 18 / 26 | |
| 8.42.7 | 18 / 26 | |
| 8.42.6 | 18 / 26 | |
| 8.42.5 | 18 / 26 | |
| 8.42.4 | 18 / 26 | |
| 8.42.3 | 18 / 26 | |
| 8.42.2 | 18 / 26 | |
| 8.42.1 | 18 / 26 | |
| 8.42.0 | 18 / 26 | |
| 8.41.4 | 18 / 26 | |
| 8.41.3 | 18 / 26 | |
| 8.41.2 | 18 / 26 | |
| 8.41.1 | 18 / 26 | |
| 8.41.0 | 18 / 26 | |
| 8.40.0 | 18 / 26 | |
| 8.39.0 | 18 / 26 | |
| 8.38.2 | 18 / 26 | |
| 8.38.1 | 18 / 26 | |
| 8.38.0 | 18 / 26 | |
| 8.37.8 | 18 / 26 | |
| 8.37.7 | 18 / 26 | |
| 8.37.6 | 18 / 26 | |
| 8.37.5 | 18 / 26 | |
| 8.37.4 | 18 / 26 | |
| 8.37.3 | 18 / 26 | |
| 8.37.2 | 18 / 26 | |
| 8.37.1 | 18 / 26 | |
| 8.37.0 | 18 / 26 | |
| 8.36.0 | 18 / 26 | |
| 8.35.6 | 18 / 26 | |
| 8.35.5 | 18 / 26 | |
| 8.35.4 | 18 / 26 | |
| 8.35.3 | 18 / 26 | |
| 8.35.0 | 18 / 26 | |
| 8.34.16 | 18 / 26 | |
| 8.34.15 | 18 / 26 | |
| 8.34.14 | 18 / 26 | |
| 8.34.13 | 18 / 26 | |
| 8.34.12 | 18 / 26 | |
| 8.34.11 | 18 / 26 | |
| 8.34.10 | 18 / 26 | |
| 8.34.9 | 18 / 26 | |
| 8.34.8 | 18 / 26 | |
| 8.34.7 | 18 / 26 | |
| 8.34.6 | 18 / 26 | |
| 8.34.5 | 18 / 26 | |
| 8.34.4 | 18 / 26 | |
| 8.34.3 | 18 / 26 | |
| 8.34.2 | 18 / 26 | |
| 8.34.1 | 18 / 26 | |
| 8.34.0 | 18 / 26 | |
| 8.33.10 | 18 / 25 | |
| 8.33.9 | 18 / 25 | |
| 8.33.8 | 18 / 25 | |
| 8.33.7 | 18 / 25 | |
| 8.33.6 | 18 / 25 | |
| 8.33.5 | 18 / 25 | |
| 8.33.3 | 18 / 25 | |
| 8.33.1 | 18 / 25 | |
| 8.32.2 | 18 / 25 | |
| 8.32.1 | 18 / 25 | |
| 8.32.0 | 18 / 25 | |
| 8.31.7 | 18 / 25 | |
| 8.31.6 | 18 / 25 | |
| 8.31.5 | 18 / 25 | |
| 8.31.4 | 18 / 25 | |
| 8.31.3 | 18 / 25 | |
| 8.31.2 | 18 / 25 | |
| 8.31.1 | 18 / 25 | |
| 8.31.0 | 18 / 25 | |
| 8.30.1 | 18 / 25 | |
| 8.30.0 | 18 / 25 | |
| 8.29.10 | 18 / 25 | |
| 8.29.9 | 18 / 25 | |
| 8.29.8 | 18 / 25 | |
| 8.29.7 | 18 / 25 |
v8.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.45.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.45.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.45.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.45.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.45.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.45.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.45.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.45.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.44.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.44.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.43.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.43.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.42.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.42.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.42.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.42.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.42.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.42.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.42.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.42.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.41.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.41.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.41.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.41.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.41.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.40.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.38.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.38.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.37.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.37.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.37.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.37.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.37.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.37.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.37.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.37.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.36.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.35.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.35.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.35.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.35.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.32.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.32.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.29.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.29.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.29.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.29.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.