@strapi/upload
Makes it easy to upload images and files to your Strapi Application.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:react-redux | AI (phantom-deps): Declared dependency used indirectly via React ecosystem; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Strapi packages historically lack provenance attestation; this is a best-practice gap, not a security risk for this established project. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Strapi monorepo publishes many scoped packages in coordinated releases; dormancy gaps are normal for this project's release cadence. | ai | |
| phantom-deps | phantom-dep:@reduxjs/toolkit | AI (phantom-deps): Declared for transitive/peer consumption in plugin architecture; stable pattern for @strapi packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped package in official Strapi monorepo; missing repo/homepage/keywords typical for monorepo-published plugins with proper author metadata. | ai | |
| dependencies | unvetted-dep:@strapi/design-system | AI (dependencies): Same-org Strapi design system package; expected dependency for a Strapi core plugin. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-dialog | AI (dependencies): @radix-ui/react-dialog is a well-known, widely-used accessible UI primitive; expected in a Strapi admin UI plugin. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): prop-types declared for downstream compatibility; common pattern in React ecosystem packages. | ai | |
| phantom-deps | phantom-dep:@strapi/provider-upload-local | AI (phantom-deps): Same-org Strapi package listed as a runtime dependency; phantom detection is a false positive here. | ai | |
| dependencies | unvetted-dep:@mux/mux-player-react | AI (dependencies): @mux/mux-player-react is the official Mux video player React component; appropriate for a media library plugin. | ai | |
| dependencies | unvetted-dep:@strapi/icons | AI (dependencies): Same-org Strapi package; expected dependency for a Strapi core plugin. | ai | |
| dependencies | unvetted-dep:react-query | AI (dependencies): react-query is a well-known, legitimate React data-fetching library; expected dependency for Strapi admin UI plugin. | ai |
Versions (showing 61 of 61)
| Version | Deps | Published |
|---|---|---|
| 5.47.1 | 30 / 18 | |
| 5.47.0 | 30 / 18 | |
| 5.46.1 | 30 / 18 | |
| 5.46.0 | 30 / 18 | |
| 5.45.1 | 30 / 18 | |
| 5.45.0 | 30 / 18 | |
| 5.44.0 | 30 / 18 | |
| 5.43.0 | 30 / 18 | |
| 5.42.1 | 30 / 18 | |
| 5.42.0 | 30 / 18 | |
| 5.41.1 | 30 / 18 | |
| 5.41.0 | 30 / 18 | |
| 5.40.0 | 30 / 18 | |
| 5.39.0 | 30 / 18 | |
| 5.38.1 | 30 / 18 | |
| 5.38.0 | 30 / 18 | |
| 5.37.1 | 30 / 18 | |
| 5.37.0 | 30 / 18 | |
| 5.36.1 | 30 / 18 | |
| 5.36.0 | 29 / 18 | |
| 5.35.0 | 28 / 18 | |
| 5.34.0 | 28 / 18 | |
| 5.33.4 | 27 / 18 | |
| 5.33.3 | 27 / 18 | |
| 5.32.0 | 27 / 18 | |
| 5.31.3 | 27 / 18 | |
| 5.31.2 | 27 / 18 | |
| 5.31.1 | 27 / 18 | |
| 5.31.0 | 27 / 18 | |
| 5.30.1 | 26 / 18 | |
| 5.30.0 | 26 / 18 | |
| 5.29.0 | 26 / 18 | |
| 5.28.0 | 26 / 18 | |
| 5.27.0 | 26 / 18 | |
| 5.26.0 | 26 / 18 | |
| 5.25.0 | 26 / 18 | |
| 5.24.2 | 26 / 18 | |
| 5.24.1 | 26 / 18 | |
| 5.24.0 | 26 / 18 | |
| 5.23.6 | 26 / 18 | |
| 5.23.5 | 26 / 18 | |
| 5.23.4 | 26 / 18 | |
| 5.23.3 | 26 / 18 | |
| 5.23.2 | 26 / 18 | |
| 5.23.1 | 26 / 18 | |
| 5.23.0 | 26 / 18 | |
| 5.22.0 | 26 / 18 | |
| 5.21.0 | 26 / 18 | |
| 5.20.0 | 25 / 18 | |
| 5.19.0 | 24 / 18 | |
| 5.18.1 | 24 / 18 | |
| 5.18.0 | 24 / 18 | |
| 5.17.0 | 24 / 18 | |
| 5.16.1 | 24 / 18 | |
| 5.16.0 | 24 / 18 | |
| 5.15.1 | 24 / 18 | |
| 5.15.0 | 24 / 18 | |
| 5.14.0 | 24 / 18 | |
| 5.13.1 | 24 / 18 | |
| 5.13.0 | 24 / 18 | |
| 5.12.7 | 24 / 18 |
v5.47.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.43.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.42.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.42.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.40.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.38.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.38.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.37.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.37.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.36.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.36.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.33.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.33.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.32.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.30.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.