@tamagui/demos
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Tamagui monorepo does not use Sigstore provenance; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@tamagui/tabs | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/sheet | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/toast | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/avatar | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/button | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/select | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/slider | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/switch | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/popover | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/checkbox | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/progress | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/list-item | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/image-next | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/radio-group | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/lucide-icons | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/roving-focus | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/radio-headless | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/switch-headless | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/animate-presence | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version. | ai | |
| dependencies | unvetted-dep:@tamagui/menu | AI (dependencies): Same-org monorepo sibling dep, pinned to matching version; stable pattern for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established Tamagui monorepo sub-package; missing metadata is typical for internal demo packages. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo sub-package; missing description is consistent across all Tamagui packages. | ai | |
| phantom-deps | phantom-dep:@tamagui/menu | AI (phantom-deps): Same-org monorepo dep; phantom detection is a false positive for re-exported packages. | ai | |
| phantom-deps | phantom-dep:@tamagui/avatar | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tamagui/button | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tamagui/select | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tamagui/slider | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tamagui/popover | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tamagui/progress | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tamagui/list-item | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 33 / 3 | |
| 2.0.0 | 33 / 3 | |
| 1.144.4 | 29 / 3 | |
| 1.142.0 | 29 / 3 | |
| 1.141.4 | 29 / 3 | |
| 1.139.4 | 29 / 3 | |
| 1.138.6 | 29 / 3 | |
| 1.138.3 | 29 / 3 | |
| 1.138.0 | 29 / 3 | |
| 1.137.1 | 29 / 3 | |
| 1.136.7 | 29 / 3 | |
| 1.136.4 | 29 / 3 | |
| 1.136.1 | 29 / 3 | |
| 1.136.0 | 29 / 3 |
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.144.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.142.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.141.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.139.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.138.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.138.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.138.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.137.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.136.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.136.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.136.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.136.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.