@xiping/react-components
A modern React component library built with TypeScript, providing rich animation components, media components, and interactive components.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@heroui/button | AI (phantom-deps): Config-referenced dependency; stable pattern for this component library. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal org package; metadata gaps (no description, no repo) are benign for scoped packages. | ai | |
| phantom-deps | phantom-dep:@nextui-org/theme | AI (phantom-deps): Config-referenced dependency; stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:qrcode | AI (phantom-deps): Config-referenced dependency; stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:qrcode.react | AI (phantom-deps): Config-referenced dependency; stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Config-referenced dependency; stable pattern for this component library. | ai | |
| dependencies | unvetted-dep:@xiping/subtitle | AI (dependencies): Same @xiping namespace as the package itself; organizational dependency, not a third-party risk. | ai | |
| phantom-deps | phantom-dep:zustand | AI (phantom-deps): Declared runtime dep used by consumers; not directly imported in library bundle — stable pattern for this component library. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer dependency declared in dependencies block; not directly imported in library code — expected for React component libraries. | ai | |
| phantom-deps | phantom-dep:react-resizable-panels | AI (phantom-deps): Runtime dep used by consumers; phantom detection is a false positive for this component library pattern. | ai | |
| phantom-deps | phantom-dep:@xiping/llm-utils | AI (phantom-deps): Same org scope; declared dep used indirectly via re-exports. | ai | |
| phantom-deps | phantom-dep:@tiptap/pm | AI (phantom-deps): Peer of @tiptap/react; declared dep, phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Same pattern — declared runtime dep, phantom-dep fires on config references in a bundled component library. | ai | |
| phantom-deps | phantom-dep:class-variance-authority | AI (phantom-deps): Declared runtime dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-router-dom | AI (phantom-deps): Declared runtime dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Declared runtime dep in a component library; phantom-dep heuristic fires on config-only references but dep is legitimately bundled. | ai | |
| phantom-deps | phantom-dep:react-hot-toast | AI (phantom-deps): Declared runtime dep; stable false positive for this component library. | ai | |
| phantom-deps | phantom-dep:react-icons | AI (phantom-deps): Declared runtime dep; phantom-dep fires on config references, stable false positive. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-scroll-area | AI (phantom-deps): Declared runtime dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@floating-ui/dom | AI (phantom-deps): Declared runtime dep; stable false positive. | ai |
Versions (showing 49 of 49)
| Version | Deps | Published |
|---|---|---|
| 1.0.92 | 42 / 31 | |
| 1.0.91 | 42 / 31 | |
| 1.0.89 | 42 / 31 | |
| 1.0.87 | 42 / 32 | |
| 1.0.84 | 42 / 32 | |
| 1.0.83 | 42 / 32 | |
| 1.0.82 | 42 / 32 | |
| 1.0.79 | 30 / 32 | |
| 1.0.78 | 30 / 32 | |
| 1.0.77 | 31 / 32 | |
| 1.0.70 | 32 / 32 | |
| 1.0.69 | 32 / 32 | |
| 1.0.67 | 32 / 32 | |
| 1.0.66 | 32 / 32 | |
| 1.0.65 | 32 / 32 | |
| 1.0.63 | 32 / 32 | |
| 1.0.61 | 32 / 32 | |
| 1.0.60 | 32 / 32 | |
| 1.0.59 | 32 / 32 | |
| 1.0.43 | 27 / 37 | |
| 1.0.40 | 27 / 37 | |
| 1.0.39 | 27 / 37 | |
| 1.0.36 | 27 / 37 | |
| 1.0.35 | 26 / 36 | |
| 1.0.34 | 26 / 36 | |
| 1.0.33 | 26 / 36 | |
| 1.0.32 | 26 / 36 | |
| 1.0.31 | 27 / 36 | |
| 1.0.30 | 27 / 36 | |
| 1.0.29 | 27 / 36 | |
| 1.0.28 | 29 / 36 | |
| 1.0.27 | 29 / 36 | |
| 1.0.26 | 28 / 36 | |
| 1.0.25 | 28 / 36 | |
| 1.0.24 | 28 / 36 | |
| 1.0.23 | 28 / 36 | |
| 1.0.22 | 28 / 36 | |
| 1.0.21 | 28 / 36 | |
| 1.0.20 | 27 / 35 | |
| 1.0.19 | 27 / 35 | |
| 1.0.18 | 27 / 35 | |
| 1.0.16 | 26 / 35 | |
| 1.0.15 | 26 / 35 | |
| 1.0.14 | 26 / 35 | |
| 1.0.13 | 25 / 34 | |
| 1.0.12 | 25 / 34 | |
| 1.0.11 | 25 / 34 | |
| 1.0.10 | 23 / 38 | |
| 1.0.9 | 23 / 38 |
v1.0.92
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.91
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.89
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.87
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.84
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.83
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.82
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.79
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.78
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.77
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.67
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.65
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.59
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.39
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.