@teambit/component.ui.version-block
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/design.ui.contributors | AI (dependencies): Internal @teambit scoped dependency; consistent with teambit's component publishing pattern. | ai | |
| dependencies | unvetted-dep:@teambit/base-react.navigation.link | AI (dependencies): Internal @teambit scoped dependency; consistent with teambit's component publishing pattern. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Scoped component package from teambit; missing description is a consistent pattern across their component library, not a malware signal. | ai | |
| provenance | no-provenance | AI (provenance): Teambit publishes hundreds of scoped packages without provenance; consistent pattern, not a risk indicator. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): core-js is a known polyfill implicit dependency; stable false positive for this package. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 0.0.944 | 9 / 8 | |
| 0.0.943 | 9 / 8 | |
| 0.0.942 | 9 / 8 | |
| 0.0.941 | 9 / 8 | |
| 0.0.940 | 9 / 8 | |
| 0.0.934 | 10 / 8 | |
| 0.0.933 | 10 / 8 | |
| 0.0.931 | 10 / 8 | |
| 0.0.927 | 10 / 8 | |
| 0.0.926 | 10 / 8 | |
| 0.0.922 | 10 / 8 | |
| 0.0.918 | 10 / 8 | |
| 0.0.916 | 10 / 8 | |
| 0.0.915 | 11 / 8 |
v0.0.944
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.943
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.942
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.941
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.940
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.934
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.933
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.931
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.927
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.926
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.922
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.918
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.916
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.915
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.