@teambit/code.ui.code-tab-page
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/component.ui.artifacts.queries.use-component-artifacts | AI (dependencies): Internal @teambit org dependency; consistent with this package's component publishing pattern. | ai | |
| dependencies | unvetted-dep:@teambit/code.ui.code-view | AI (dependencies): Internal @teambit org dependency; consistent with this package's component publishing pattern. | ai | |
| dependencies | unvetted-dep:@teambit/code.ui.code-tab-tree | AI (dependencies): Internal @teambit org dependency; consistent with this package's component publishing pattern. | ai | |
| dependencies | unvetted-dep:@teambit/component.ui.artifacts.artifacts-tree | AI (dependencies): Internal @teambit org dependency; consistent with this package's component publishing pattern. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Teambit component packages routinely omit descriptions; stable false positive for this org. | ai | |
| provenance | no-provenance | AI (provenance): Teambit packages consistently lack provenance attestation; not a risk signal for this publisher. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): core-js is a known implicit polyfill dependency; stable false positive. | ai | |
| phantom-deps | phantom-dep:@teambit/ui-foundation.ui.constants.z-indexes | AI (phantom-deps): Same-org teambit package; phantom-dep heuristic misfires on Bit component imports. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.0.699 | 22 / 9 | |
| 0.0.698 | 22 / 9 | |
| 0.0.697 | 22 / 9 | |
| 0.0.696 | 22 / 9 | |
| 0.0.695 | 22 / 9 | |
| 0.0.694 | 22 / 9 | |
| 0.0.693 | 22 / 9 | |
| 0.0.692 | 22 / 9 | |
| 0.0.691 | 22 / 9 | |
| 0.0.690 | 22 / 9 | |
| 0.0.689 | 22 / 9 | |
| 0.0.688 | 22 / 9 | |
| 0.0.687 | 22 / 9 | |
| 0.0.686 | 22 / 9 | |
| 0.0.685 | 22 / 9 | |
| 0.0.684 | 22 / 9 | |
| 0.0.683 | 22 / 9 | |
| 0.0.682 | 22 / 9 | |
| 0.0.681 | 22 / 9 | |
| 0.0.680 | 22 / 9 | |
| 0.0.679 | 22 / 9 | |
| 0.0.678 | 22 / 9 | |
| 0.0.677 | 22 / 9 | |
| 0.0.676 | 22 / 9 | |
| 0.0.675 | 22 / 9 | |
| 0.0.674 | 22 / 9 | |
| 0.0.673 | 22 / 9 | |
| 0.0.672 | 22 / 9 | |
| 0.0.671 | 22 / 9 | |
| 0.0.670 | 22 / 9 | |
| 0.0.669 | 22 / 9 | |
| 0.0.668 | 22 / 9 | |
| 0.0.667 | 22 / 9 |
v0.0.699
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.698
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.697
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.696
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.695
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.694
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.693
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.692
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.691
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.690
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.689
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.688
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.687
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.686
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.685
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.684
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.683
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.682
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.681
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.680
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.679
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.678
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (davidfirst) than the most recent previously approved version (teambit-owner) on 2025-08-19, but davidfirst is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.0.677
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.676
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.675
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.674
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.673
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.672
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.671
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.670
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (davidfirst) than the most recent previously approved version (teambit-owner) on 2025-07-14, but davidfirst is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.0.669
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.668
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (shohamgilad) than the most recent previously approved version (teambit-owner) on 2025-07-02, but shohamgilad is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.0.667
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.