@teambit/ui-foundation.ui.side-bar
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): davidfirst is a long-standing trusted teambit publisher with 206 approved packages; transition is consistent with org maintainer rotation. | ai | |
| dependencies | unvetted-dep:@teambit/base-react.navigation.link | AI (dependencies): Same @teambit org scope; consistent with this package's dependency pattern across all versions. | ai | |
| phantom-deps | phantom-dep:@teambit/base-ui.theme.colors | AI (phantom-deps): Same org scope; declared but not directly imported is a common pattern in Bit component packages. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established teambit component package; missing description is a consistent pattern across their 600+ versions. | ai | |
| provenance | no-provenance | AI (provenance): teambit publishes without Sigstore provenance consistently; not a risk indicator for this publisher. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 0.0.934 | 16 / 3 | |
| 0.0.933 | 16 / 3 | |
| 0.0.932 | 16 / 3 | |
| 0.0.931 | 16 / 3 | |
| 0.0.930 | 16 / 3 | |
| 0.0.929 | 16 / 3 | |
| 0.0.928 | 16 / 3 | |
| 0.0.927 | 16 / 3 | |
| 0.0.926 | 16 / 3 | |
| 0.0.925 | 16 / 3 | |
| 0.0.924 | 16 / 3 | |
| 0.0.923 | 16 / 3 | |
| 0.0.922 | 16 / 3 | |
| 0.0.921 | 16 / 3 | |
| 0.0.920 | 16 / 3 | |
| 0.0.919 | 16 / 3 | |
| 0.0.918 | 16 / 3 | |
| 0.0.917 | 16 / 3 | |
| 0.0.916 | 16 / 3 | |
| 0.0.915 | 16 / 3 | |
| 0.0.914 | 16 / 3 | |
| 0.0.913 | 16 / 3 | |
| 0.0.912 | 16 / 3 | |
| 0.0.911 | 16 / 3 | |
| 0.0.910 | 16 / 3 | |
| 0.0.909 | 17 / 3 |
v0.0.934
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.933
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.932
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.930
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.929
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.928
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.927
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.926
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.925
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.924
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.923
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.922
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.921
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.920
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.919
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.918
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.917
2 findingsThis version was published by a different npm account than previous versions on 2025-08-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.916
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.915
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.914
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.913
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.912
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.911
2 findingsThis version was published by a different npm account than previous versions on 2025-07-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.910
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.909
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.