@teambit/compositions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/compositions.ui.composition-live-controls | AI (dependencies): Internal @teambit scoped dep; routine for this monorepo-style package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Internal @teambit scoped dep; routine for this monorepo-style package. | ai | |
| dependencies | unvetted-dep:@teambit/workspace.ui.use-workspace-mode | AI (dependencies): Internal @teambit scoped dep; routine for this monorepo-style package. | ai | |
| dependencies | unvetted-dep:@teambit/compositions.ui.composition-compare | AI (dependencies): Internal @teambit scoped dep; routine for this monorepo-style package. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Internal @teambit scoped dep; routine for this monorepo-style package. | ai | |
| dependencies | unvetted-dep:@teambit/design.inputs.text-area | AI (dependencies): Internal @teambit scoped dep; routine for this monorepo-style package. | ai | |
| dependencies | unvetted-dep:@teambit/design.inputs.date-picker | AI (dependencies): Internal @teambit scoped dep; routine for this monorepo-style package. | ai | |
| provenance | no-provenance | AI (provenance): Teambit publishes without Sigstore provenance across all versions; not a risk signal here. | ai | |
| phantom-deps | phantom-dep:@teambit/ui-foundation.ui.constants.z-indexes | AI (phantom-deps): Same-org Bit aspect dependency; phantom-dep heuristic unreliable for Bit's module resolution model. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Bit core aspects consistently omit descriptions; stable false positive for this package family. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 1.0.972 | 56 / 7 | |
| 1.0.971 | 56 / 7 | |
| 1.0.970 | 56 / 7 | |
| 1.0.969 | 56 / 7 | |
| 1.0.968 | 56 / 7 | |
| 1.0.926 | 57 / 7 | |
| 1.0.925 | 57 / 7 | |
| 1.0.887 | 55 / 7 | |
| 1.0.885 | 55 / 7 | |
| 1.0.884 | 55 / 7 | |
| 1.0.881 | 55 / 7 | |
| 1.0.879 | 55 / 7 |
v1.0.972
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.971
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.970
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.969
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.887
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.885
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.884
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.881
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.879
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.