@strapi/content-manager
A powerful UI to easily manage your data.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a declared dep used in config/type definitions; phantom-dep heuristic fires but no real risk for this package. | ai | |
| phantom-deps | phantom-dep:immer | AI (phantom-deps): Declared and used in monorepo; stable pattern for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers nico-strapi and strapi.adzouz are consistent with internal Strapi team account management within the official org. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of remidej alongside addition of new Strapi team accounts reflects normal team rotation, not a hostile takeover. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): This is a monorepo sub-package with 1100 versions; publishing gaps for individual packages are normal and not indicative of account takeover given the active Strapi ecosystem context. | ai | |
| provenance | publisher-changed | AI (provenance): bassel17 is a Strapi team member with 10 approved packages; publisher rotation within the Strapi org is expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:sanitize-html | AI (dependencies): sanitize-html is a well-known HTML sanitization library; expected in a content-manager handling rich text. | ai | |
| dependencies | unvetted-dep:slate-history | AI (dependencies): slate-history is part of the Slate rich text editor ecosystem; expected in a content-manager with rich text editing. | ai | |
| dependencies | unvetted-dep:markdown-it-abbr | AI (dependencies): markdown-it plugin; expected in a content-manager with Markdown support. | ai | |
| dependencies | unvetted-dep:@strapi/design-system | AI (dependencies): First-party Strapi design system; expected dependency in Strapi's own content-manager package. | ai | |
| phantom-deps | phantom-dep:react-query | AI (phantom-deps): Config-file reference in a complex monorepo build; not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:react-helmet | AI (phantom-deps): Config-file reference in a complex monorepo build; not a security concern for this package. | ai | |
| dependencies | unvetted-dep:markdown-it-emoji | AI (dependencies): markdown-it plugin; expected in a content-manager with Markdown support. | ai | |
| dependencies | unvetted-dep:prismjs | AI (dependencies): prismjs is a well-known syntax highlighting library; expected dependency for a content-manager UI plugin. | ai | |
| dependencies | unvetted-dep:codemirror5 | AI (dependencies): codemirror is a well-known code editor library; expected in a rich content-manager UI. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a well-known Markdown parser; expected in a content-manager with rich text support. | ai | |
| dependencies | unvetted-dep:react-query | AI (dependencies): react-query is a well-known data-fetching library; expected in a React-based content-manager UI. | ai | |
| dependencies | unvetted-dep:@strapi/icons | AI (dependencies): First-party Strapi icon library; expected dependency in Strapi's own content-manager package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Core Strapi monorepo package; short README and no keywords are expected for internal packages published from a monorepo. | ai | |
| provenance | no-provenance | AI (provenance): Strapi does not currently publish with Sigstore provenance; this is consistent across all their packages and not a security concern given the established publisher identity. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 5.47.0 | 43 / 12 | |
| 5.44.0 | 41 / 12 | |
| 5.43.0 | 41 / 12 | |
| 5.42.1 | 41 / 12 | |
| 5.42.0 | 41 / 12 | |
| 5.41.1 | 41 / 12 | |
| 5.41.0 | 41 / 12 | |
| 5.38.0 | 41 / 12 | |
| 5.36.0 | 41 / 12 | |
| 5.34.0 | 41 / 12 | |
| 5.33.4 | 41 / 12 | |
| 5.33.3 | 41 / 12 | |
| 5.33.1 | 41 / 12 | |
| 5.32.0 | 41 / 12 | |
| 5.30.1 | 41 / 12 | |
| 5.30.0 | 41 / 12 | |
| 5.23.6 | 41 / 12 | |
| 5.13.0 | 39 / 12 | |
| 5.12.7 | 39 / 12 |
v5.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.43.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.