@trilogy-ds/react
Trilogy react framework design system for Bouygues Telecom
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:react-native-modal | AI (dependencies): Standard React Native UI dependency for a corporate design system; expected and stable across versions. | ai | |
| dependencies | unvetted-dep:@trilogy-ds/locales | AI (dependencies): First-party Bouygues Telecom locales package within the same trilogy-ds namespace. | ai | |
| dependencies | unvetted-dep:@ptomasroos/react-native-multi-slider | AI (dependencies): Known React Native slider component; stable dependency for this design system. | ai | |
| dependencies | unvetted-dep:@react-native-picker/picker | AI (dependencies): Official React Native community picker component; expected dependency for this package. | ai | |
| phantom-deps | phantom-dep:react-native-gesture-handler | AI (phantom-deps): Platform-specific peer/native dep for React Native; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:@react-native-picker/picker | AI (phantom-deps): Platform-specific binary package; phantom-dep heuristic is a known false positive for RN native modules. | ai | |
| phantom-deps | phantom-dep:shortid | AI (phantom-deps): Utility dep referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:color | AI (phantom-deps): Design system package; color is a utility dep used in config/style logic, not a direct import concern. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-copy | AI (phantom-deps): Build-time tool referenced in config files only; not a runtime concern. | ai | |
| license | uncommon-license:UNLICENSED | AI (license): Proprietary Bouygues Telecom internal package; UNLICENSED is intentional across all versions. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 4.17.0 | 10 / 1 | |
| 4.16.3 | 14 / 1 | |
| 4.16.2 | 14 / 1 | |
| 4.16.1 | 14 / 1 | |
| 4.15.3 | 13 / 1 | |
| 4.14.4 | 13 / 1 | |
| 4.14.2 | 13 / 1 | |
| 4.14.0 | 13 / 1 | |
| 4.12.1 | 14 / 1 | |
| 4.12.0 | 14 / 1 | |
| 4.11.0 | 14 / 0 | |
| 4.5.1 | 14 / 0 |
v4.16.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.16.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.16.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.15.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.14.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.14.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.