@tanstack/cta-ui — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tannerlinsleyschiller-manuellachlancollinskylemathews

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/assets/index-16uOszEx.js	AI (source-diff): Standard Vite-minified React bundle for a UI package; not obfuscated, just minified frontend output.	ai	2026/05/14
source-diff	obfuscated-file:dist/assets/index-nLTGZwWC.js	AI (source-diff): Standard Vite minified bundle for a React UI package; not obfuscated, readable code with license headers.	ai	2026/05/14
source-diff	obfuscated-file:dist/assets/index-dikOiXwx.js	AI (source-diff): Standard Vite-minified React bundle with accompanying source map; expected artifact for this UI package.	ai	2026/05/14
source-diff	obfuscated-file:dist/assets/index-CV3P_WqJ.js	AI (source-diff): Standard Vite-minified UI bundle for a React component library; not obfuscation.	ai	2026/05/14
phantom-deps	phantom-dep:next-themes	AI (phantom-deps): UI peer dependency referenced in config; stable false positive for this package.	ai	2026/05/11
phantom-deps	phantom-dep:tailwind-merge	AI (phantom-deps): Tailwind utility referenced in config; stable false positive for this package.	ai	2026/05/11
phantom-deps	phantom-dep:tailwindcss-animate	AI (phantom-deps): Tailwind plugin referenced in config; stable false positive for this package.	ai	2026/05/11
phantom-deps	phantom-dep:react	AI (phantom-deps): React is a peer/config dependency for a UI package; not directly imported in source is expected.	ai	2026/05/11
phantom-deps	phantom-dep:execa	AI (phantom-deps): Used in config/build tooling context; phantom-dep heuristic false positive for this package.	ai	2026/05/11
phantom-deps	phantom-dep:sonner	AI (phantom-deps): UI peer dependency referenced in config; stable false positive for this package.	ai	2026/05/11

Versions (showing 42 of 42)

Version	Deps	Published
0.48.2	15 / 15	2026-01-28
0.28.0	15 / 15	2025-10-05
0.27.1	15 / 15	2025-10-04
0.27.0	15 / 15	2025-10-03
0.26.1	15 / 15	2025-10-03
0.26.0	15 / 15	2025-10-03
0.25.2	15 / 15	2025-10-02
0.25.1	15 / 15	2025-10-02
0.25.0	15 / 15	2025-10-02
0.24.1	15 / 15	2025-09-30
0.24.0	15 / 15	2025-09-30
0.23.2	15 / 15	2025-09-30
0.23.1	15 / 15	2025-09-29
0.23.0	15 / 15	2025-09-29
0.22.3	15 / 15	2025-09-29
0.22.2	15 / 15	2025-09-25
0.22.1	15 / 15	2025-09-24
0.22.0	15 / 15	2025-09-23
0.21.0	15 / 15	2025-08-14
0.20.0	15 / 15	2025-08-13
0.19.0	15 / 15	2025-08-11
0.17.5	15 / 15	2025-08-10
0.17.4	15 / 15	2025-08-07
0.17.3	15 / 15	2025-08-07
0.17.2	15 / 15	2025-08-07
0.17.1	15 / 15	2025-08-06
0.17.0	15 / 15	2025-07-31
0.16.10	15 / 15	2025-07-30
0.16.9	15 / 15	2025-07-30
0.16.8	15 / 15	2025-07-30
0.16.7	15 / 15	2025-07-30
0.16.6	15 / 15	2025-07-28
0.16.5	15 / 15	2025-07-01
0.16.4	15 / 15	2025-06-28
0.16.1	15 / 15	2025-06-18
0.16.0	15 / 15	2025-06-12
0.15.12	15 / 15	2025-06-11
0.15.11	15 / 15	2025-06-11
0.15.7	15 / 15	2025-06-04
0.15.6	15 / 15	2025-06-04
0.15.5	15 / 15	2025-06-04
0.15.4	15 / 15	2025-05-29

v0.48.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.0

2 findings

HIGH New obfuscated file: dist/assets/index-16uOszEx.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.