rc-image
React easy to use image component
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): rc-dialog, rc-util, classnames, @babel/runtime are all standard Ant Design ecosystem packages; addition is expected for the preview feature. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Maintainer transition within react-component org; publisher dahong has strong approval history (137/144 packages). Legitimate organizational handoff, not a hijack. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions reflect normal team evolution; madccc has strong approval history (1051 approved packages). | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition from dahong to madccc is documented and consistent with maintainer change; new publisher has strong track record. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Original maintainer removal is consistent with the org-level transfer to react-component/Ant Design team. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from v3 to v5 reflects major feature additions (image preview/lightbox via rc-dialog); expected for this version jump. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 24 new source files consistent with major version rewrite adding preview functionality; no obfuscation or suspicious payloads indicated. | ai | |
| dependencies | unvetted-dep:rc-dialog | AI (dependencies): rc-dialog is an established rc-component package with pinned constraint ~9.0.0; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:rc-motion | AI (dependencies): rc-motion is a well-known react-component ecosystem package from the same org; unvetted status is a pipeline artifact. | ai | |
| dependencies | unvetted-dep:@rc-component/portal | AI (dependencies): @rc-component/portal is a core react-component ecosystem package from the same org; unvetted status is a pipeline artifact. | ai | |
| provenance | no-provenance | AI (provenance): Established package with long history and trusted publisher; lack of Sigstore provenance is common and not a risk signal here. | ai | |
| dependencies | unvetted-dep:rc-util | AI (dependencies): rc-util is a core react-component ecosystem utility package maintained by the same org; unvetted status is a pipeline artifact. | ai |
Versions (showing 51 of 89)
| Version | Deps | Published |
|---|---|---|
| 7.12.0 | 6 / 20 | |
| 7.11.1 | 6 / 20 | |
| 7.11.0 | 6 / 20 | |
| 7.10.0 | 6 / 20 | |
| 7.9.0 | 6 / 20 | |
| 7.8.1 | 6 / 20 | |
| 7.8.0 | 6 / 20 | |
| 7.7.1 | 6 / 20 | |
| 7.7.0 | 6 / 20 | |
| 7.6.0 | 6 / 19 | |
| 7.5.1 | 6 / 19 | |
| 7.5.0 | 6 / 19 | |
| 7.4.0 | 6 / 19 | |
| 7.3.2 | 6 / 19 | |
| 7.3.1 | 6 / 19 | |
| 7.3.0 | 6 / 19 | |
| 7.2.0 | 6 / 19 | |
| 7.1.3 | 6 / 19 | |
| 7.1.2 | 6 / 19 | |
| 7.1.1 | 6 / 19 | |
| 7.1.0 | 6 / 19 | |
| 7.0.0 | 6 / 19 | |
| 6.1.0 | 6 / 19 | |
| 6.0.0 | 6 / 19 | |
| 5.18.1 | 6 / 19 | |
| 5.18.0 | 6 / 19 | |
| 5.17.1 | 6 / 19 | |
| 5.16.0 | 6 / 19 | |
| 5.15.2 | 6 / 19 | |
| 5.15.1 | 6 / 19 | |
| 5.14.0 | 6 / 19 | |
| 5.13.0 | 6 / 19 | |
| 5.12.2 | 6 / 19 | |
| 5.12.1 | 5 / 19 | |
| 5.12.0 | 5 / 19 | |
| 5.11.0 | 4 / 19 | |
| 5.10.2 | 4 / 19 | |
| 5.10.1 | 4 / 19 | |
| 5.10.0 | 4 / 19 | |
| 5.9.0 | 4 / 19 | |
| 5.8.0 | 4 / 19 | |
| 5.7.1 | 4 / 19 | |
| 5.7.0 | 4 / 19 | |
| 5.6.4 | 4 / 19 | |
| 5.6.3 | 4 / 19 | |
| 5.6.2 | 4 / 19 | |
| 5.6.1 | 4 / 19 | |
| 5.6.0 | 4 / 20 | |
| 5.5.0 | 4 / 20 | |
| 5.4.0 | 4 / 20 | |
| 5.3.0 | 4 / 20 |
v5.18.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-06-18. This could indicate a legitimate maintainer transition or an account compromise.
v5.18.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-06-17. This could indicate a legitimate maintainer transition or an account compromise.
v5.17.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-06-02. This could indicate a legitimate maintainer transition or an account compromise.
v5.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-09. This could indicate a legitimate maintainer transition or an account compromise.
v5.13.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-26. This could indicate a legitimate maintainer transition or an account compromise.
v5.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.11.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-09. This could indicate a legitimate maintainer transition or an account compromise.
v5.10.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-07. This could indicate a legitimate maintainer transition or an account compromise.
v5.10.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-07. This could indicate a legitimate maintainer transition or an account compromise.
v5.10.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-06. This could indicate a legitimate maintainer transition or an account compromise.
v5.9.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-29. This could indicate a legitimate maintainer transition or an account compromise.
v5.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-10. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-25. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v5.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-14. This could indicate a legitimate maintainer transition or an account compromise.
v5.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-18. This could indicate a legitimate maintainer transition or an account compromise.