@widergy/energy-ui — Greenflagged

Widergy Web Components

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

fiozzolisgulinogmlipinaalcurvelowidergy.npmsanticammguidodinatale

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): Actively developed UI library; new deps are established, benign packages consistent with feature growth.	ai	2026/05/27
dependencies	unvetted-dep:react-flagpack	AI (dependencies): Known flag icon component library; no malware indicators.	ai	2026/05/10
dependencies	unvetted-dep:react-signature-canvas	AI (dependencies): Well-known signature input component; no malware indicators.	ai	2026/05/10
dependencies	unvetted-dep:intro.js-react	AI (dependencies): React wrapper for intro.js; benign UI dependency.	ai	2026/05/10
dependencies	unvetted-dep:intro.js	AI (dependencies): Established open-source onboarding library; no malware indicators.	ai	2026/05/10
dependencies	unvetted-dep:@material-ui/lab	AI (dependencies): Official Material-UI lab package; well-known ecosystem dep.	ai	2026/05/10
dependencies	unvetted-dep:react-google-maps	AI (dependencies): Established Google Maps React wrapper; no malware indicators.	ai	2026/05/10
dependencies	unvetted-dep:@widergy/web-utils	AI (dependencies): Publisher's own scoped utility package; consistent with this org's ecosystem.	ai	2026/05/10
dependencies	unvetted-dep:@widergy/energy-hooks	AI (dependencies): Publisher's own scoped hooks package; consistent with this org's ecosystem.	ai	2026/05/10
dependencies	unvetted-dep:@trainline/react-skeletor	AI (dependencies): Known Trainline open-source skeleton loader; benign UI dep.	ai	2026/05/10
dependencies	unvetted-dep:babel-plugin-inline-react-svg	AI (dependencies): Standard Babel plugin for SVG inlining; no malware indicators.	ai	2026/05/10
phantom-deps	phantom-dep:autoprefixer	AI (phantom-deps): PostCSS plugin loaded by config, not direct import.	ai	2026/04/30
phantom-deps	phantom-dep:sass-loader	AI (phantom-deps): Webpack loader; loaded by convention, not direct import.	ai	2026/04/30
phantom-deps	phantom-dep:react-jss	AI (phantom-deps): JSS styling dep referenced in config; stable false positive for this UI library.	ai	2026/04/30
phantom-deps	phantom-dep:@babel/eslint-parser	AI (phantom-deps): Framework-scoped, loaded by eslint config convention.	ai	2026/04/30
phantom-deps	phantom-dep:@react-google-maps/api	AI (phantom-deps): Maps dep referenced in config files; stable false positive for this package.	ai	2026/04/30
phantom-deps	phantom-dep:babel-plugin-inline-react-svg	AI (phantom-deps): Babel plugin loaded by config, not direct import.	ai	2026/04/30
phantom-deps	phantom-dep:babel-plugin-named-asset-import	AI (phantom-deps): Babel plugin loaded by config, not direct import.	ai	2026/04/30
phantom-deps	phantom-dep:sass	AI (phantom-deps): Build-tool dep used in webpack/babel config; not directly imported in source.	ai	2026/04/30
provenance	no-provenance	AI (provenance): Established package with 737 versions; lack of provenance is consistent across all prior releases.	ai	2026/04/29