@webstudio-is/sdk-components-react
Webstudio default library for react
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): trysound is a long-established publisher within the @webstudio-is org; transition appears legitimate. | ai | |
| dependencies | unvetted-dep:@webstudio-is/sdk | AI (dependencies): Internal monorepo sibling package; versioned in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@webstudio-is/icons | AI (dependencies): Internal monorepo sibling package; versioned in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@webstudio-is/image | AI (dependencies): Internal monorepo sibling package; versioned in lockstep with this package. | ai | |
| dependencies | unvetted-dep:@webstudio-is/react-sdk | AI (dependencies): Internal monorepo sibling package; versioned in lockstep with this package. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 0.268.0 | 9 / 13 | |
| 0.267.0 | 9 / 13 | |
| 0.266.0 | 9 / 13 | |
| 0.265.0 | 9 / 13 | |
| 0.264.0 | 9 / 13 | |
| 0.263.0 | 9 / 13 | |
| 0.262.1 | 9 / 13 | |
| 0.262.0 | 9 / 13 | |
| 0.261.1 | 9 / 13 | |
| 0.261.0 | 9 / 13 | |
| 0.260.2 | 9 / 13 | |
| 0.259.0 | 9 / 13 | |
| 0.258.0 | 9 / 13 | |
| 0.257.0 | 9 / 13 | |
| 0.255.0 | 9 / 12 | |
| 0.254.0 | 9 / 12 | |
| 0.253.0 | 9 / 12 | |
| 0.252.2 | 9 / 12 | |
| 0.252.1 | 9 / 12 | |
| 0.238.0 | 9 / 12 | |
| 0.237.0 | 9 / 12 | |
| 0.236.0 | 9 / 12 | |
| 0.235.0 | 9 / 12 | |
| 0.234.0 | 9 / 12 | |
| 0.233.0 | 9 / 12 | |
| 0.232.0 | 9 / 12 | |
| 0.231.0 | 9 / 12 | |
| 0.230.0 | 9 / 12 | |
| 0.229.0 | 9 / 12 | |
| 0.228.0 | 9 / 12 | |
| 0.227.0 | 9 / 12 | |
| 0.226.0 | 9 / 12 | |
| 0.225.0 | 9 / 12 | |
| 0.224.0 | 9 / 12 | |
| 0.223.0 | 9 / 12 | |
| 0.222.0 | 9 / 12 | |
| 0.221.0 | 9 / 12 | |
| 0.220.0 | 9 / 12 | |
| 0.219.0 | 9 / 12 |
v0.268.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.267.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.266.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.264.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.263.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.262.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.262.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.261.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.261.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.260.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.259.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.258.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.257.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.255.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.254.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.253.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.252.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.252.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.238.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.237.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.236.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.235.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.234.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.233.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.232.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.231.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.230.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.229.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.228.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.227.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.226.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.225.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.224.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.223.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.222.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.221.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.220.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.219.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.