@toptal/picasso-input-adornment

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

talbot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): SLSA provenance attestation present; gitHead absence is a metadata gap, not a security risk for this established Toptal package.	ai	2026/05/27
dependencies	unvetted-dep:@toptal/picasso-icons	AI (dependencies): Internal sibling dep from Toptal's picasso monorepo; stable false positive for this package family.	ai	2026/05/21
dependencies	unvetted-dep:@toptal/picasso-utils	AI (dependencies): Internal sibling dep from Toptal's picasso monorepo; stable false positive for this package family.	ai	2026/05/21
dependencies	unvetted-dep:@toptal/picasso-container	AI (dependencies): Internal sibling dep from Toptal's picasso monorepo; stable false positive for this package family.	ai	2026/05/21
dependencies	unvetted-peer-dep:@toptal/picasso-tailwind-merge	AI (dependencies): Internal sibling peer dep from Toptal's picasso monorepo; stable false positive for this package family.	ai	2026/05/21

Versions (showing 7 of 7)

Version	Deps	Published
4.0.1	4 / 2	2026-05-22
4.0.0	4 / 2	2026-03-31
3.0.18	4 / 2	2026-02-12
3.0.17	4 / 2	2026-02-05
3.0.16	4 / 2	2025-12-10
3.0.15	4 / 2	2025-11-26
3.0.14	4 / 2	2025-11-26

v4.0.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance