@uxf/wysiwyg
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Long-lived internal UXF package; no provenance is consistent across all 339 versions. | ai | |
| phantom-deps | phantom-dep:slate-history | AI (phantom-deps): slate-history is a peer/transitive dep commonly declared but not directly imported in editor wrappers. | ai | |
| phantom-deps | phantom-dep:slate-hyperscript | AI (phantom-deps): slate-hyperscript declared for config/testing use; stable false positive for this editor package. | ai | |
| phantom-deps | phantom-dep:@udecode/plate-code-block | AI (phantom-deps): Plate plugin declared as dep and used via config; not directly imported in all files — stable FP. | ai |
Versions (showing 51 of 72)
| Version | Deps | Published |
|---|---|---|
| 11.119.0 | 0 / 29 | |
| 11.118.2 | 0 / 29 | |
| 11.118.0 | 0 / 29 | |
| 11.117.2 | 0 / 29 | |
| 11.115.0 | 0 / 29 | |
| 11.114.0 | 0 / 29 | |
| 11.113.0 | 0 / 29 | |
| 11.112.1 | 0 / 29 | |
| 11.112.0 | 0 / 29 | |
| 11.111.2 | 0 / 29 | |
| 11.111.1 | 0 / 29 | |
| 11.111.0 | 0 / 29 | |
| 11.110.1 | 0 / 29 | |
| 11.110.0 | 0 / 29 | |
| 11.109.2 | 0 / 29 | |
| 11.108.0 | 0 / 29 | |
| 11.107.0 | 22 / 7 | |
| 11.106.0 | 22 / 4 | |
| 11.105.0 | 22 / 4 | |
| 11.104.0 | 22 / 4 | |
| 11.102.0 | 22 / 4 | |
| 11.101.0 | 22 / 4 | |
| 11.100.1 | 22 / 4 | |
| 11.100.0 | 22 / 4 | |
| 11.99.1 | 22 / 4 | |
| 11.99.0 | 22 / 4 | |
| 11.97.0 | 22 / 4 | |
| 11.96.1 | 22 / 4 | |
| 11.95.1 | 22 / 4 | |
| 11.95.0 | 22 / 4 | |
| 11.94.0 | 22 / 4 | |
| 11.93.3 | 22 / 4 | |
| 11.93.1 | 22 / 4 | |
| 11.93.0 | 22 / 4 | |
| 11.92.3 | 22 / 4 | |
| 11.92.2 | 22 / 4 | |
| 11.92.1 | 22 / 4 | |
| 11.92.0 | 22 / 4 | |
| 11.91.0 | 22 / 4 | |
| 11.90.1 | 22 / 4 | |
| 11.90.0 | 22 / 4 | |
| 11.89.0 | 22 / 4 | |
| 11.88.2 | 22 / 4 | |
| 11.88.1 | 22 / 4 | |
| 11.88.0 | 22 / 4 | |
| 11.87.0 | 22 / 4 | |
| 11.86.0 | 22 / 4 | |
| 11.85.0 | 22 / 4 | |
| 11.80.6 | 22 / 4 | |
| 11.80.4 | 22 / 4 | |
| 11.80.2 | 22 / 4 |
v11.119.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.118.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.118.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.117.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.115.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.114.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.109.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.108.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.107.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.106.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.105.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.104.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.102.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.101.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.100.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.100.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.99.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.99.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.97.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.96.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.95.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.95.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.94.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.93.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.93.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.93.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.92.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.92.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.92.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.92.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.91.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.90.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.90.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.89.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.88.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.88.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.88.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.87.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.86.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.85.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.80.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.80.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.80.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.