@wordpress/block-editor

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

garypendergastadamsilversteingziolontwbriadnoisysockskadamwhitegutenbergpluginjorgefilipecostaellatrixiandunn206whyisjakeockhamsirrealnosoloswwpisabelntsekourasnerraddesrosjtalldanwppeterwilsonccryanwelchermamaduka

Keywords

wordpressgutenbergeditorblocks

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Active Gutenberg monorepo package with 415 versions; dormancy signal is a false positive for this package.	ai	2026/05/17
dependencies	unvetted-dep:@react-spring/web	AI (dependencies): @react-spring/web is a well-known animation library; long-standing dep in this package.	ai	2026/05/17
phantom-deps	phantom-dep:@wordpress/wordcount	AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic false positive for this monorepo package.	ai	2026/04/29
phantom-deps	phantom-dep:deepmerge	AI (phantom-deps): deepmerge is a declared dep used in build/config context; stable false positive for this monorepo package.	ai	2026/04/29
phantom-deps	phantom-dep:@wordpress/escape-html	AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic false positive for this monorepo package.	ai	2026/04/29
phantom-deps	phantom-dep:@wordpress/base-styles	AI (phantom-deps): Same-org sibling dep used for styles; phantom-dep heuristic false positive.	ai	2026/04/29
phantom-deps	phantom-dep:react-easy-crop	AI (phantom-deps): react-easy-crop is a declared dep; phantom-dep heuristic false positive for this package.	ai	2026/04/29