@teambit/ui
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:artifacts/ui-bundle/scope/public/bit/static/js/515.10d69c43.js | AI (source-diff): Standard webpack minified browser bundle artifact; pattern is stable across all versions of this package. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/workspace/public/bit/static/js/913.6f89dc84.js | AI (source-diff): Browser UI bundle with fetch/XHR and dynamic module loading is expected for this package's UI artifacts. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/workspace/public/bit/static/js/913.6f89dc84.js | AI (source-diff): Standard webpack minified browser bundle artifact; pattern is stable across all versions of this package. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/scope/public/bit/static/js/515.10d69c43.js | AI (source-diff): Browser UI bundle with fetch/XHR and dynamic module loading is expected for this package's UI artifacts. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/workspace/public/bit/static/js/201.12051623.js | AI (source-diff): Webpack chunk containing graphlib/layout code; standard minified build artifact for Bit's UI bundle. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/scope/public/bit/static/js/747.bfe65073.js | AI (source-diff): Same webpack module loader pattern; not malicious. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/scope/public/bit/static/js/747.bfe65073.js | AI (source-diff): Identical webpack chunk pattern as workspace bundle; standard minified build artifact. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/workspace/public/bit/static/js/201.12051623.js | AI (source-diff): Network calls and dynamic requires are webpack module loader patterns in a browser UI bundle, not dropper malware. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/scope/public/bit/static/js/652.16d96174.js | AI (source-diff): Webpack bundle for browser UI; network calls and dynamic module loading are expected in this context. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/workspace/public/bit/static/js/754.9ab2c3f1.js | AI (source-diff): Webpack bundle for browser UI; network calls and dynamic module loading are expected in this context. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/workspace/public/bit/static/js/754.9ab2c3f1.js | AI (source-diff): Standard webpack minified UI bundle for @teambit/ui; not obfuscation, consistent with prior releases. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/scope/public/bit/static/js/652.16d96174.js | AI (source-diff): Standard webpack minified UI bundle for @teambit/ui; not obfuscation, consistent with prior releases. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/workspace/public/bit/static/js/232.013ebf4f.js | AI (source-diff): Webpack UI bundle chunk; minified graphlib/dagre layout code, not malware. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/scope/public/bit/static/js/594.04fdc8e6.js | AI (source-diff): Webpack module system pattern; net-exec signal is webpack require(), not a dropper. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/scope/public/bit/static/js/594.04fdc8e6.js | AI (source-diff): Webpack UI bundle chunk; same graphlib content as workspace bundle, not malware. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/workspace/public/bit/static/js/232.013ebf4f.js | AI (source-diff): Webpack module system pattern; network+exec signal is webpack require(), not a dropper. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/scope/public/bit/ssr/57e0cc5db6a609b0.cjs | AI (source-diff): SSR bundle artifact; minified React/TypeScript output, not obfuscated malware. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.harmony-root-generator | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:http-proxy | AI (dependencies): Well-known proxy library; stable dependency in this package's build toolchain. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/react.rendering.ssr | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.crypto.sha1 | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/design.themes.base-theme | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/design.themes.dark-theme | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/design.themes.light-theme | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/base-react.themes.theme-switcher | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/api-reference.hooks.use-api-renderers | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| dependencies | unvetted-dep:@teambit/rspack.modules.generate-asset-manifest | AI (dependencies): First-party @teambit scoped package; consistent with this package's ecosystem. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/workspace/public/bit/static/js/139.64a0671d.js | AI (source-diff): Webpack bundle for browser UI; network+dynamic-require is normal for bundled frontend code in this package. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/workspace/public/bit/static/js/139.64a0671d.js | AI (source-diff): Standard webpack-minified UI bundle artifact; not obfuscation, stable pattern for this package. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/scope/public/bit/static/js/463.c56e9999.js | AI (source-diff): Webpack bundle for browser UI; network+dynamic-require is normal for bundled frontend code in this package. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/scope/public/bit/static/js/463.c56e9999.js | AI (source-diff): Standard webpack-minified UI bundle artifact; stable pattern for this package. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/scope/public/bit/static/js/383.8bcaf67a.js | AI (source-diff): Network calls and dynamic requires are normal in a bundled browser UI; not dropper behavior. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/scope/public/bit/static/js/383.8bcaf67a.js | AI (source-diff): Webpack-minified UI bundle chunk; expected artifact for @teambit/ui across all versions. | ai | |
| source-diff | net-exec-file:artifacts/ui-bundle/workspace/public/bit/static/js/522.7834818c.js | AI (source-diff): Network calls and dynamic requires are normal in a bundled browser UI; not dropper behavior. | ai | |
| source-diff | obfuscated-file:artifacts/ui-bundle/workspace/public/bit/static/js/522.7834818c.js | AI (source-diff): Webpack-minified UI bundle chunk; expected artifact for @teambit/ui across all versions. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped @teambit/ui package; Levenshtein match to 'yup' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @teambit/ui package; Levenshtein match to 'joi' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped @teambit/ui package; Levenshtein match to short unscoped names is a false positive. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped @teambit/ui package; Levenshtein match to 'qs' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @teambit/ui package; Levenshtein match to 'pg' is a false positive. | ai | |
| phantom-deps | phantom-dep:@teambit/isolator | AI (phantom-deps): Same-org package; phantom-dep heuristic unreliable for monorepo sibling packages. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dep loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:sanitize.css | AI (phantom-deps): CSS asset referenced by convention, not JS import. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): PostCSS referenced in build config; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:sass | AI (phantom-deps): CSS preprocessor referenced in webpack/rspack config; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:less | AI (phantom-deps): CSS preprocessor referenced in webpack/rspack config; not directly imported in JS. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.0.1002 | 67 / 8 | |
| 1.0.1000 | 67 / 8 | |
| 1.0.999 | 67 / 8 | |
| 1.0.995 | 67 / 8 | |
| 1.0.992 | 67 / 8 | |
| 1.0.989 | 67 / 8 | |
| 1.0.988 | 67 / 8 | |
| 1.0.986 | 67 / 8 | |
| 1.0.983 | 67 / 8 | |
| 1.0.982 | 67 / 8 | |
| 1.0.979 | 67 / 8 | |
| 1.0.975 | 67 / 8 | |
| 1.0.972 | 67 / 8 | |
| 1.0.971 | 67 / 8 | |
| 1.0.970 | 67 / 8 | |
| 1.0.969 | 67 / 8 | |
| 1.0.968 | 67 / 8 | |
| 1.0.965 | 67 / 8 | |
| 1.0.964 | 67 / 8 | |
| 1.0.962 | 67 / 8 | |
| 1.0.958 | 67 / 8 | |
| 1.0.954 | 67 / 8 | |
| 1.0.950 | 67 / 8 | |
| 1.0.943 | 67 / 8 | |
| 1.0.937 | 67 / 8 | |
| 1.0.935 | 67 / 8 | |
| 1.0.931 | 67 / 8 | |
| 1.0.930 | 67 / 8 | |
| 1.0.929 | 67 / 8 | |
| 1.0.927 | 67 / 8 | |
| 1.0.925 | 67 / 8 |
v1.0.1002
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1000
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.999
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.995
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.992
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.989
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.988
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.986
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.983
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.982
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.979
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.975
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.972
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.971
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.970
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.969
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.965
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.964
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.962
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.958
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.954
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.950
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.943
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.937
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.935
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.931
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.930
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.929
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.927
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.925
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.