@ui5/webcomponents
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/generated/themes/sap_horizon_auto/parameters-bundle.css.d.ts | AI (source-diff): Generated .d.ts files with inlined CSS theme bundles; long lines are CSS custom properties, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/generated/themes/sap_horizon_hc_auto/parameters-bundle.css.d.ts | AI (source-diff): Same generated CSS theme bundle pattern; not obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/generated/templates/CalendarTemplate.lit.js | AI (source-diff): LitElement template bundle; standard build artifact for @ui5/webcomponents. | ai | |
| source-diff | obfuscated-file:dist/generated/themes/Badge.css.js | AI (source-diff): Minified CSS-in-JS theme bundle; standard build artifact for @ui5/webcomponents. | ai | |
| source-diff | obfuscated-file:dist/generated/templates/CalendarHeaderTemplate.lit.js | AI (source-diff): LitElement template bundle; standard build artifact for @ui5/webcomponents. | ai | |
| source-diff | obfuscated-file:dist/generated/templates/ColorPickerTemplate.lit.js | AI (source-diff): LitElement template bundle; standard build artifact for @ui5/webcomponents. | ai | |
| source-diff | obfuscated-file:dist/generated/templates/DatePickerPopoverTemplate.lit.js | AI (source-diff): LitElement template bundle; standard build artifact for @ui5/webcomponents. | ai | |
| source-diff | obfuscated-file:dist/generated/templates/DateTimePickerPopoverTemplate.lit.js | AI (source-diff): LitElement template bundle; standard build artifact for @ui5/webcomponents. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): ui5-bot is SAP's automation account; stable addition for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are theme CSS bundles (sap_horizon_auto variants); expected growth for a UI component library. | ai | |
| provenance | publisher-changed | AI (provenance): SAP UI5 migrated publishing to GitHub Actions CI; consistent with org-wide automation change. | ai | |
| dependencies | unvetted-dep:@ui5/webcomponents-icons-tnt | AI (dependencies): Sibling monorepo package from SAP; always released in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@ui5/webcomponents-base | AI (dependencies): Sibling monorepo package from SAP; always released in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@ui5/webcomponents-theming | AI (dependencies): Sibling monorepo package from SAP; always released in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@ui5/webcomponents-icons | AI (dependencies): Sibling monorepo package from SAP; always released in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@ui5/webcomponents-localization | AI (dependencies): Sibling monorepo package from SAP; always released in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@ui5/webcomponents-icons-business-suite | AI (dependencies): Sibling monorepo package from SAP; always released in lockstep with this package. | ai | |
| provenance | no-provenance | AI (provenance): Established SAP OSS package; provenance absence is common and not a risk signal here. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 2.22.0 | 6 / 8 | |
| 2.21.2 | 6 / 8 | |
| 2.21.1 | 6 / 8 | |
| 2.21.0 | 6 / 8 | |
| 2.20.4 | 6 / 8 | |
| 2.20.3 | 6 / 8 | |
| 2.19.4 | 6 / 8 | |
| 2.18.2 | 6 / 8 | |
| 2.17.2 | 6 / 8 | |
| 2.16.3 | 6 / 10 | |
| 2.15.5 | 6 / 10 | |
| 2.15.4 | 6 / 10 | |
| 2.14.1 | 6 / 6 | |
| 2.12.0 | 6 / 6 | |
| 2.10.1 | 6 / 6 | |
| 1.24.28 | 6 / 2 | |
| 1.24.27 | 6 / 2 |
v2.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.20.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.20.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.19.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.18.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.17.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.16.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.15.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.15.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.24.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.24.27
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.