@vaadin/vaadin-core — Greenflagged

Vaadin components is an evolving set of free, open sourced custom HTML elements for building mobile and desktop web applications in modern browsers.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

web-padawandiegocardosoalvarezguilleplatoshajounimanoloyuriyyevvaadin-ownertomivirkkiartur-sunzhewyqsissbruecker

Keywords

vaadincoreelementswebcomponentswebcomponentsweb-components

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@vaadin/badge	AI (dependencies): Same-org @vaadin scoped package at matching version; consistent with Vaadin component library pattern.	ai	2026/06/01
dependencies	unvetted-dep:@vaadin/slider	AI (dependencies): Same-org @vaadin scoped package at matching version; consistent with Vaadin component library pattern.	ai	2026/06/01
phantom-deps	phantom-dep:@polymer/iron-a11y-keys-behavior	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-material-styles	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-overlay-behavior	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-themable-mixin	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-element-mixin	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-a11y-announcer	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-fit-behavior	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-list-mixin	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-media-query	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-iconset-svg	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-flex-layout	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@webcomponents/shadycss	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-messages	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-menu-bar	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-overlay	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-avatar	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-meta	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-list	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@polymer/iron-resizable-behavior	AI (phantom-deps): Metapackage aggregator; phantom deps are expected for re-exported subcomponents.	ai	2026/05/30
phantom-deps	phantom-dep:@vaadin/vaadin-icon	AI (phantom-deps): Meta-package re-exports; phantom-deps are expected for aggregator design.	ai	2026/05/28
phantom-deps	phantom-dep:@vaadin/vaadin-button	AI (phantom-deps): Meta-package re-exports; phantom-deps are expected for aggregator design.	ai	2026/05/28
phantom-deps	phantom-dep:@polymer/iron-icon	AI (phantom-deps): Aggregator package re-exports subcomponents; phantom-deps is a stable false positive for this pattern.	ai	2026/05/28
phantom-deps	phantom-dep:@vaadin/vaadin-grid	AI (phantom-deps): Aggregator package re-exports subcomponents; phantom-deps is a stable false positive for this pattern.	ai	2026/05/28
publish-pattern	new-deps-added	AI (publish-pattern): Version 14.x uses Polymer-based @vaadin/vaadin-* and @polymer/iron-* deps; diff vs v24.x is a branch comparison artifact, not a real dep injection.	ai	2026/05/04
provenance	no-provenance	AI (provenance): Vaadin 14 LTS is a legacy branch; lack of Sigstore provenance is expected for this era of releases.	ai	2026/05/04
phantom-deps	phantom-dep:@vaadin/master-detail-layout	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/vaadin-lumo-styles	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/field-highlighter	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/input-container	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
bogus-package	bogus-package	AI (bogus-package): Meta-package aggregating @vaadin/* components; minimal README and no repo URL is consistent with this pattern across all versions.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/lit-renderer	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/field-base	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/a11y-base	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/markdown	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/popover	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/overlay	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/slider	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/router	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/badge	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/card	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/component-base	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/aura	AI (phantom-deps): Same-org meta-package; phantom-dep heuristic is a stable false positive for this aggregator pattern.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/vaadin-development-mode-detector	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@vaadin/vaadin-usage-statistics	AI (phantom-deps): Same-org meta-package; stable false positive.	ai	2026/04/30

Versions (showing 51 of 61)

View all versions

Version	Deps	Published
25.1.6	65 / 0	2026-05-25
25.1.5	65 / 0	2026-05-05
25.1.4	65 / 0	2026-04-29
25.1.3	65 / 0	2026-04-17
25.1.2	65 / 0	2026-04-16
25.1.1	65 / 0	2026-03-30
25.1.0	65 / 0	2026-03-25
25.0.11	63 / 0	2026-05-05
25.0.10	63 / 0	2026-04-28
25.0.9	63 / 0	2026-04-20
25.0.8	63 / 0	2026-03-26
25.0.7	63 / 0	2026-03-10
25.0.6	63 / 0	2026-02-25
25.0.5	63 / 0	2026-02-09
25.0.4	63 / 0	2026-01-28
25.0.3	63 / 0	2026-01-12
25.0.2	63 / 0	2025-12-23
25.0.0	63 / 0	2025-12-17
24.10.6	64 / 0	2026-05-21
24.10.4	64 / 0	2026-05-05
24.10.3	64 / 0	2026-04-27
24.10.1	64 / 0	2026-04-02
24.10.0	64 / 0	2026-03-17
24.9.17	64 / 0	2026-05-05
24.9.16	64 / 0	2026-04-27
24.9.14	64 / 0	2026-04-01
24.9.13	64 / 0	2026-03-10
24.9.12	64 / 0	2026-02-23
24.9.11	64 / 0	2026-02-09
24.9.10	64 / 0	2026-01-28
24.9.9	64 / 0	2026-01-12
24.9.8	64 / 0	2025-12-22
24.9.7	64 / 0	2025-12-11
24.9.6	64 / 0	2025-11-26
24.9.5	64 / 0	2025-11-10
24.8.17	64 / 0	2026-01-29
24.8.16	64 / 0	2025-12-16
24.8.15	64 / 0	2025-12-11
24.8.14	64 / 0	2025-11-26
24.8.13	64 / 0	2025-11-10
24.7.15	62 / 0	2026-01-30
24.6.13	61 / 0	2026-01-30
24.5.15	61 / 0	2026-01-30
24.4.23	60 / 0	2026-01-30
24.3.21	60 / 0	2026-02-01
24.2.13	60 / 0	2026-01-30
24.1.18	60 / 0	2026-02-01
24.1.17	60 / 0	2026-01-30
24.0.15	58 / 0	2026-02-02
23.6.10	100 / 0	2026-05-04
23.6.9	100 / 0	2026-03-11

v25.1.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.1.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.1.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.1.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v25.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v25.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.10.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.10.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.10.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.10.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.17

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.16

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.9.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v24.8.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.8.16

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.8.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.8.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.8.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v24.7.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.6.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.5.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.4.23

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.3.21

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.2.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.1.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.1.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.0.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v23.6.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v23.6.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.