@tencentcloud/ai-desk-customer-vue
Vue2/Vue3 UIKit for AI Desk
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Legitimate Tencent org publisher with prior approved versions; inactivity gap consistent with product release cadence, not takeover. | ai | |
| dependencies | unvetted-dep:@tencentcloud/universal-api | AI (dependencies): First-party Tencent Cloud dependency; same org scope as this package. | ai | |
| dependencies | unvetted-dep:@tencentcloud/tui-core | AI (dependencies): First-party Tencent Cloud dependency; same org scope as this package. | ai | |
| dependencies | unvetted-dep:@tencentcloud/tui-emoji-plugin | AI (dependencies): First-party Tencent Cloud dependency; same org scope as this package. | ai | |
| dependencies | unvetted-dep:@tencentcloud/chat-uikit-engine | AI (dependencies): First-party Tencent Cloud dependency; same org scope as this package. | ai | |
| dependencies | unvetted-dep:mp-html | AI (dependencies): Well-known WeChat mini-program HTML renderer; stable open-source library. | ai | |
| dependencies | unvetted-dep:js-audio-recorder | AI (dependencies): Known audio recording utility; expected dependency for a customer service chat UIKit. | ai | |
| dependencies | unvetted-dep:countries-and-timezones | AI (dependencies): Well-known utility library with no security concerns. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Declared in package.json; phantom-dep heuristic false positive for this bundled UIKit. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Declared in package.json; phantom-dep heuristic false positive for this bundled UIKit. | ai | |
| phantom-deps | phantom-dep:mp-html | AI (phantom-deps): Declared in package.json; phantom-dep heuristic false positive for this bundled UIKit. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): Type-only package; framework-scoped, expected false positive. | ai | |
| phantom-deps | phantom-dep:vue-clipboard3 | AI (phantom-deps): Declared in package.json; phantom-dep heuristic false positive for this bundled UIKit. | ai | |
| phantom-deps | phantom-dep:@tencentcloud/tui-emoji-plugin | AI (phantom-deps): First-party same-org dependency; phantom-dep false positive. | ai | |
| provenance | no-provenance | AI (provenance): Tencent Cloud org package; lack of Sigstore provenance is common and not a disqualifier here. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-text | AI (phantom-deps): Bundled tiptap dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-mention | AI (phantom-deps): Bundled tiptap dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-document | AI (phantom-deps): Bundled tiptap dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-paragraph | AI (phantom-deps): Bundled tiptap dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-placeholder | AI (phantom-deps): Bundled tiptap dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:js-audio-recorder | AI (phantom-deps): Declared dep referenced in config; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:tim-upload-plugin | AI (phantom-deps): Declared Tencent dep referenced in config; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:countries-and-timezones | AI (phantom-deps): Declared dep referenced in config; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/core | AI (phantom-deps): Bundled tiptap dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/suggestion | AI (phantom-deps): Bundled tiptap dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/pm | AI (phantom-deps): Bundled tiptap dep; phantom-dep heuristic fires on bundled/config-referenced packages. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 1.7.4 | 15 / 0 | |
| 1.7.3 | 15 / 0 | |
| 1.7.2 | 15 / 0 | |
| 1.6.10 | 17 / 0 | |
| 1.6.9 | 17 / 0 | |
| 1.6.8 | 16 / 0 | |
| 1.6.7 | 19 / 0 | |
| 1.6.6 | 21 / 0 | |
| 1.6.4 | 21 / 0 | |
| 1.6.3 | 21 / 0 | |
| 1.6.2 | 21 / 0 | |
| 1.6.0 | 21 / 0 | |
| 1.5.11 | 20 / 0 | |
| 1.5.10 | 20 / 0 | |
| 1.5.9 | 20 / 0 | |
| 1.5.8 | 20 / 0 | |
| 1.5.6 | 20 / 0 | |
| 1.5.5 | 20 / 0 | |
| 1.5.4 | 20 / 0 | |
| 1.5.3 | 19 / 0 | |
| 1.5.2 | 19 / 0 | |
| 1.5.1 | 19 / 0 | |
| 1.5.0 | 19 / 0 | |
| 1.4.0 | 19 / 0 | |
| 1.3.0 | 19 / 0 |
v1.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.