@vendure/dashboard
This is a React-based admin dashboard for Vendure. It is a standalone application that can be extended to suit the needs of any Vendure project.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): dlhck appears to be a legitimate Vendure team addition; SLSA provenance and no script/dep changes corroborate benign handoff. | ai | |
| phantom-deps | phantom-dep:@lingui/vite-plugin | AI (phantom-deps): Config-file-only reference; standard pattern for Vendure dashboard build tooling. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo package; missing description is cosmetic, not a risk signal. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo package from official Vendure org; sparse metadata is expected, not a spam indicator. | ai | |
| phantom-deps | phantom-dep:tailwindcss-animate | AI (phantom-deps): CSS animation plugin referenced in Tailwind config, not directly imported in JS — stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): Standard Radix UI component; well-known UI library, expected dependency for a dashboard package. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-hover-card | AI (dependencies): Standard Radix UI component; well-known UI library, expected dependency for a dashboard package. | ai | |
| phantom-deps | phantom-dep:@lingui/babel-plugin-lingui-macro | AI (phantom-deps): Babel plugin referenced in config, not directly imported — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/react-grid-layout | AI (phantom-deps): Type-only package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-avatar | AI (phantom-deps): Used via component composition; phantom-dep heuristic fires but it's a legitimate dep. | ai | |
| dependencies | unvetted-dep:@vendure-io/design-tokens | AI (dependencies): First-party Vendure org package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@vendure-io/ui | AI (dependencies): First-party Vendure org package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:awesome-graphql-client | AI (dependencies): Known GraphQL client library; legitimate dependency for a dashboard package. | ai | |
| dependencies | unvetted-dep:@tanstack/router-devtools | AI (dependencies): Official TanStack devtools package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@fontsource-variable/public-sans | AI (dependencies): Standard Fontsource variable font package; benign UI dependency. | ai | |
| phantom-deps | phantom-dep:vaul | AI (phantom-deps): UI component dep referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:next-themes | AI (phantom-deps): Theme provider likely loaded via config/convention, not direct import. | ai | |
| phantom-deps | phantom-dep:tw-animate-css | AI (phantom-deps): CSS utility referenced in config, not directly imported; expected for this package. | ai | |
| phantom-deps | phantom-dep:@tanstack/eslint-plugin-query | AI (phantom-deps): ESLint plugin referenced in eslint config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@fontsource-variable/inter | AI (phantom-deps): Font package referenced in CSS/config, not direct JS import. | ai | |
| phantom-deps | phantom-dep:@tanstack/router-devtools | AI (phantom-deps): Devtools loaded via config/convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/preset-react | AI (phantom-deps): Babel preset loaded via config, not direct import; standard pattern. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): Framework-scoped type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework-scoped type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@fontsource-variable/geist-mono | AI (phantom-deps): Font package referenced in CSS/config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@fontsource-variable/public-sans | AI (phantom-deps): Font package referenced in CSS/config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tiptap/pm | AI (phantom-deps): ProseMirror peer dep for tiptap; loaded transitively, not directly imported. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): Tailwind is referenced in vite/config files, not imported directly; standard pattern for this package. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 3.6.4 | 67 / 20 | |
| 3.6.3 | 67 / 20 | |
| 3.6.2 | 67 / 20 | |
| 3.4.4 | 90 / 8 | |
| 3.4.3 | 90 / 8 | |
| 3.4.2 | 86 / 8 | |
| 3.4.1 | 86 / 8 | |
| 3.4.0 | 88 / 8 | |
| 3.3.8 | 86 / 8 | |
| 3.3.7 | 73 / 8 | |
| 3.3.6 | 73 / 8 | |
| 3.3.5 | 70 / 8 | |
| 3.3.4 | 70 / 8 | |
| 3.3.3 | 70 / 8 | |
| 3.3.2 | 70 / 8 | |
| 3.3.1 | 70 / 8 | |
| 3.3.0 | 70 / 8 | |
| 3.2.4 | 70 / 8 |
v3.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.