@things-factory/sales-ui
UI module that handles sales order
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): Same org context; publisher track record supports legitimate transition. | ai | |
| provenance | publisher-changed | AI (provenance): wengliang95 is an established publisher in the @things-factory org with 431 approved packages; likely account rename from horwengliang95. | ai | |
| phantom-deps | phantom-dep:@things-factory/i18n-base | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic fires on indirect/re-exported usage patterns common in this package family. | ai | |
| phantom-deps | phantom-dep:@things-factory/sales-base | AI (phantom-deps): Same-org scoped dep declared in package.json; phantom-dep heuristic is a stable false positive for this monorepo package. | ai |
Versions (showing 51 of 111)
| Version | Deps | Published |
|---|---|---|
| 8.0.92 | 9 / 0 | |
| 8.0.90 | 9 / 0 | |
| 8.0.89 | 9 / 0 | |
| 8.0.88 | 9 / 0 | |
| 8.0.87 | 9 / 0 | |
| 8.0.86 | 9 / 0 | |
| 8.0.76 | 9 / 0 | |
| 8.0.75 | 9 / 0 | |
| 8.0.74 | 9 / 0 | |
| 8.0.72 | 9 / 0 | |
| 8.0.71 | 9 / 0 | |
| 8.0.69 | 9 / 0 | |
| 8.0.68 | 9 / 0 | |
| 8.0.67 | 9 / 0 | |
| 8.0.64 | 9 / 0 | |
| 8.0.63 | 9 / 0 | |
| 4.3.822 | 9 / 0 | |
| 4.3.820 | 9 / 0 | |
| 4.3.819 | 9 / 0 | |
| 4.3.818 | 9 / 0 | |
| 4.3.817 | 9 / 0 | |
| 4.3.816 | 9 / 0 | |
| 4.3.815 | 9 / 0 | |
| 4.3.806 | 9 / 0 | |
| 4.3.805 | 9 / 0 | |
| 4.3.804 | 9 / 0 | |
| 4.3.799 | 9 / 0 | |
| 4.3.798 | 9 / 0 | |
| 4.3.795 | 9 / 0 | |
| 4.3.794 | 9 / 0 | |
| 4.3.793 | 9 / 0 | |
| 4.3.792 | 9 / 0 | |
| 4.3.791 | 9 / 0 | |
| 4.3.790 | 9 / 0 | |
| 4.3.789 | 9 / 0 | |
| 4.3.788 | 9 / 0 | |
| 4.3.787 | 9 / 0 | |
| 4.3.784 | 9 / 0 | |
| 4.3.783 | 9 / 0 | |
| 4.3.782 | 9 / 0 | |
| 4.3.780 | 9 / 0 | |
| 4.3.779 | 9 / 0 | |
| 4.3.778 | 9 / 0 | |
| 4.3.777 | 9 / 0 | |
| 4.3.776 | 9 / 0 | |
| 4.3.774 | 9 / 0 | |
| 4.3.772 | 9 / 0 | |
| 4.3.771 | 9 / 0 | |
| 4.3.770 | 9 / 0 | |
| 4.3.769 | 9 / 0 | |
| 4.3.767 | 9 / 0 |
v8.0.92
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (horwengliang95) on 2026-04-23, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.0.90
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.89
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.88
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (wengliang95) on 2026-03-30, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.0.87
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (wengliang95) on 2026-03-30, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.0.86
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (wengliang95) on 2026-03-05, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.0.76
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.75
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.74
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.71
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (horwengliang95) on 2025-12-08, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v8.0.69
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.67
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.64
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.63
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.822
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.820
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.819
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.818
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.817
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (horwengliang95) than the most recent previously approved version (nalshya113) on 2026-04-19, but horwengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.3.816
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (horwengliang95) than the most recent previously approved version (nalshya113) on 2026-04-17, but horwengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.3.815
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (horwengliang95) than the most recent previously approved version (nalshya113) on 2026-04-16, but horwengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.3.806
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wengliang95) than the most recent previously approved version (nalshya113) on 2026-04-12, but wengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.3.805
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wengliang95) than the most recent previously approved version (nalshya113) on 2026-04-10, but wengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.3.804
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wengliang95) than the most recent previously approved version (nalshya113) on 2026-04-10, but wengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.3.799
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wengliang95) than the most recent previously approved version (nalshya113) on 2026-04-06, but wengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.3.798
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.795
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.794
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.793
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.792
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.791
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.790
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.789
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.788
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.787
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.784
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.783
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.782
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.780
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.779
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.778
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.777
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.776
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.774
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.772
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.771
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.770
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.769
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.767
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.