@tencentcloud/chat-uikit-vue
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:vue-clipboard3 | AI (phantom-deps): Optional integration dep; stable false positive for this UIKit package. | ai | |
| phantom-deps | phantom-dep:@tencentcloud/call-uikit-vue | AI (phantom-deps): Same-org optional integration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tencentcloud/call-uikit-vue2 | AI (phantom-deps): Same-org optional integration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tencentcloud/roomkit-web-vue3 | AI (phantom-deps): Same-org optional integration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tencentcloud/call-uikit-vue2.6 | AI (phantom-deps): Same-org optional integration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-paragraph | AI (phantom-deps): Same dual dep/peerDep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-hard-break | AI (phantom-deps): Same dual dep/peerDep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/core | AI (phantom-deps): Declared as both dep and peerDep; phantom-dep heuristic fires incorrectly on this dual-declaration pattern. | ai | |
| phantom-deps | phantom-dep:@tencentcloud/tui-emoji-plugin | AI (phantom-deps): Same org scope; phantom-dep heuristic fires incorrectly, package is legitimately used. | ai | |
| phantom-deps | phantom-dep:@types/marked | AI (phantom-deps): Type-only package; not directly imported at runtime by convention. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-placeholder | AI (phantom-deps): Same dual dep/peerDep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/pm | AI (phantom-deps): Same dual dep/peerDep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-text | AI (phantom-deps): Same dual dep/peerDep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-mention | AI (phantom-deps): Same dual dep/peerDep pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tiptap/extension-document | AI (phantom-deps): Same dual dep/peerDep pattern; stable false positive for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 3.0.2 | 21 / 0 | |
| 3.0.1 | 21 / 0 | |
| 3.0.0 | 21 / 0 | |
| 2.3.3 | 20 / 0 |
v3.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.