@ui5/webcomponents-tools
UI5 Web Components: webcomponents.tools
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): SAP org consolidation to sap-ospo-admin; SLSA provenance confirms CI/CD publish pipeline integrity. | ai | |
| dependencies | unvetted-dep:cypress-real-events | AI (dependencies): Standard Cypress testing plugin; consistent with this build-tools package's test infrastructure. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-cypress | AI (phantom-deps): Config-file reference pattern typical for this build-tools package. | ai | |
| phantom-deps | phantom-dep:command-line-args | AI (phantom-deps): Config-file reference pattern typical for this build-tools package. | ai | |
| dependencies | unvetted-dep:@cypress/code-coverage | AI (dependencies): Standard Cypress code coverage plugin; consistent with this build-tools package's test infrastructure. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): ui5-bot addition is consistent with SAP's automation pipeline for this long-running package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Package has 673 versions; dormancy signal is a false positive for this actively maintained SAP package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change reflects CI/CD automation (GitHub Actions) for a well-established SAP/UI5 package with SLSA attestation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump (v1→v2) naturally adds many source files; SLSA provenance confirms CI/CD origin. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Major version bump with legitimate build tooling refactor; new deps are well-known utilities. | ai | |
| dependencies | unvetted-dep:chokidar-cli | AI (dependencies): Well-known file-watcher CLI; expected dev/build tooling dependency. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Established templating library; standard dependency for UI5 tooling across many versions. | ai | |
| phantom-deps | phantom-dep:wdio-chromedriver-service | AI (phantom-deps): Referenced in shipped WDIO config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:resolve | AI (phantom-deps): Tooling package ships config files referencing deps not directly imported; stable pattern across versions. | ai | |
| phantom-deps | phantom-dep:is-port-reachable | AI (phantom-deps): Same tooling config pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): ESLint plugin referenced in shipped config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:vite-plugin-istanbul | AI (phantom-deps): Referenced in shipped config files; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): Referenced in shipped ESLint config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint-config-airbnb-base | AI (phantom-deps): Referenced in shipped ESLint config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:@wdio/static-server-service | AI (phantom-deps): Referenced in shipped WDIO config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): Referenced in shipped ESLint config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:@custom-elements-manifest/analyzer | AI (phantom-deps): Referenced in shipped config files; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-no-leaked-values | AI (phantom-deps): Referenced in shipped ESLint config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): CLI tool used in scripts; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:postcss-cli | AI (phantom-deps): CLI tool used in scripts; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): Config-referenced tool; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): CLI tool used in scripts; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:slash | AI (phantom-deps): Utility referenced in config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): CLI tool used in scripts; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:concurrently | AI (phantom-deps): CLI tool used in scripts; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:chokidar-cli | AI (phantom-deps): CLI tool used in scripts; not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:nps | AI (phantom-deps): CLI tool dependency referenced in config files; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:@wdio/mocha-framework | AI (phantom-deps): Test runner plugin; referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:chai | AI (phantom-deps): Test framework referenced in config; not directly imported in main code. | ai | |
| phantom-deps | phantom-dep:json-beautify | AI (phantom-deps): Referenced in config/scripts; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:esprima | AI (phantom-deps): Referenced in config files; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:escodegen | AI (phantom-deps): Referenced in config files; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:@wdio/cli | AI (phantom-deps): Test runner CLI; referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@wdio/dot-reporter | AI (phantom-deps): Test runner plugin; referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@wdio/local-runner | AI (phantom-deps): Test runner plugin; referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@wdio/spec-reporter | AI (phantom-deps): Test runner plugin; referenced in config, not directly imported. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Build/dev tooling package; child_process use is core to its purpose of running build commands. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Build tool passing env to child processes is standard; merges process.env with explicit envs for subprocess execution. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads user-defined package scripts by resolved path — standard plugin/script-runner pattern for this build tool. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 2.22.0 | 45 / 2 | |
| 2.21.2 | 45 / 2 | |
| 2.21.1 | 45 / 2 | |
| 2.21.0 | 45 / 2 | |
| 2.19.4 | 45 / 2 | |
| 2.18.2 | 45 / 2 | |
| 2.17.2 | 45 / 2 | |
| 2.16.2 | 47 / 2 | |
| 2.16.0 | 47 / 2 | |
| 2.15.5 | 47 / 2 | |
| 2.15.2 | 47 / 2 | |
| 2.10.0 | 47 / 2 | |
| 2.7.5 | 52 / 4 | |
| 1.24.27 | 46 / 2 |
v2.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.1
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/UI5/webcomponents/blob/3b3a9f29d41926e67d61402cd0db1daacaaa0f26/bin/ui5nps.js#L215 213 | 214 | verboseLog(` | Executing command ${commandName} as command.\n Running: ${command}`); > 215 | const child = exec(command, { stdio: "inherit", env: { ...process.env, ...this.envs } }); 216 | 217 | child.stdout.on("data", (data) => {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/UI5/webcomponents/blob/3b3a9f29d41926e67d61402cd0db1daacaaa0f26/bin/ui5nps.js#L293 291 | 292 | (async () => { > 293 | process.env = { ...process.env, ...parser.envs }; 294 | 295 | for (const commandName of commands) {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.19.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.18.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.17.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.16.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.15.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.15.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.