rc-tabs
tabs ui component for react
27
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
benjycuiyesmeckafc163paranoidjkzombiejpicodothmadccc
Keywords
reactreact-componentreact-tabs
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/umi.3bf3bfb4.js | AI (source-diff): This is a standard dumi/UMI documentation site webpack bundle. Minification is expected; no malicious content present. | ai | |
| source-diff | obfuscated-file:dist/docs__index.md.5a678285.async.js | AI (source-diff): Standard webpack async chunk containing rc-tabs documentation markdown rendered as React. No malicious content. | ai | |
| source-diff | obfuscated-file:dist/demos.11f92399.async.js | AI (source-diff): Standard webpack async chunk containing rc-tabs demo components for documentation site. No malicious content. | ai | |
| source-diff | obfuscated-file:dist/76.77709ec5.async.js | AI (source-diff): Standard webpack async chunk from dumi documentation build. Contains Redux and invariant utilities, no malicious content. | ai | |
| source-diff | obfuscated-file:dist/548.62d105c5.async.js | AI (source-diff): Standard webpack async chunk from dumi documentation build. Contains React component API table code, no malicious content. | ai | |
| source-diff | obfuscated-file:dist/242.7c148438.async.js | AI (source-diff): Standard webpack async chunk from dumi documentation build. Minified React/SVG component code, no malicious content. | ai | |
| source-diff | net-exec-file:dist/umi.3bf3bfb4.js | AI (source-diff): Network+exec pattern is triggered by normal browser-side webpack module loading in the dumi documentation bundle, not dropper/loader malware. | ai | |
| dependencies | unvetted-dep:react-hammerjs | AI (dependencies): react-hammerjs is a legitimate React wrapper for Hammer.js touch gestures; appropriate dependency for a tabs UI component with swipe support. | ai | |
| dependencies | unvetted-dep:create-react-context | AI (dependencies): create-react-context is a well-known React Context API polyfill used by many major libraries; its use here is legitimate for supporting older React versions. | ai | |
| dependencies | unvetted-dep:rc-hammerjs | AI (dependencies): rc-hammerjs is part of the rc-* ecosystem and pinned to ~0.6.0; stable dependency for this package. | ai | |
| source-diff | net-exec-file:dist/rc-tabs.js | AI (source-diff): Webpack UMD bundle is a legitimate build artifact for React component distribution; webpack's module system is not malicious code. | ai | |
| source-diff | net-exec-file:dist/rc-tabs.min.js | AI (source-diff): Minified webpack bundle is expected for production distribution; no malicious payload detected in sample. | ai | |
| dependencies | unvetted-dep:rc-css-transition-group | AI (dependencies): rc-css-transition-group is a react-component ecosystem package consistent with rc-tabs' purpose; same maintainer lineage, no malicious signals. | ai | |
| dependencies | unvetted-dep:browserify-shim | AI (dependencies): Build-time browserify transform; not a runtime dependency affecting end users. | ai | |
| dependencies | unvetted-dep:browserify-jsx | AI (dependencies): Build-time browserify transform; not a runtime dependency affecting end users. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change in 2018 reflects legitimate maintainer transition; stable for 6+ years. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects addition of dist/ bundles (normal for component library releases), not injected payload. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): lodash is an established, widely-trusted utility library; legitimate addition for a mature component library. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): dxq613 removal is consistent with Ant Design org restructuring; new team is established and trusted. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer transition occurred in 2018 and is well-established; no compromise indicators. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 27 new files consistent with component library expansion; no obfuscation or malicious patterns detected. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Complete maintainer transition in 2017 on established package; 7+ years of stable history post-transition validates legitimacy. | ai | |
| phantom-deps | phantom-dep:browserify-jsx | AI (phantom-deps): browserify-jsx is used as a browserify transform configured in package.json's browserify.transform field, not imported directly in JS. This is the correct usage pattern for browserify transforms. | ai | |
| phantom-deps | phantom-dep:browserify-shim | AI (phantom-deps): browserify-shim is used as a browserify transform/shim configured in package.json, not imported directly. This is the correct usage pattern for browserify-shim. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in gulpfile.js for build tasks (linting, git tagging); standard development tooling, not in published code. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): exec() in gulpfile.js for git tagging during publish; standard build workflow, not in distributed package. | ai | |
| dependencies | unvetted-dep:rc-menu | AI (dependencies): rc-menu is a well-known react-component ecosystem package; stable dependency for rc-tabs across all versions. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard practice in npm ecosystem; absence is not a security concern for this established package. | ai | |
| dependencies | unvetted-dep:rc-resize-observer | AI (dependencies): rc-resize-observer is a standard utility in the react-component ecosystem; stable dependency for rc-tabs. | ai | |
| dependencies | unvetted-dep:rc-dropdown | AI (dependencies): rc-dropdown is a well-known react-component ecosystem package; stable dependency for rc-tabs. | ai | |
| dependencies | unvetted-dep:rc-motion | AI (dependencies): rc-motion is a standard animation package in the react-component ecosystem; stable dependency for rc-tabs. | ai | |
| dependencies | unvetted-dep:rc-util | AI (dependencies): rc-util is a core utility package in the react-component/Ant Design ecosystem; stable dependency for rc-tabs. | ai |
Versions (showing 27 of 227)
| Version | Deps | Published |
|---|---|---|
| 5.4.3 | 1 / 7 | |
| 5.4.2 | 1 / 7 | |
| 5.4.1 | 1 / 7 | |
| 5.4.0 | 1 / 7 | |
| 5.3.3 | 1 / 5 | |
| 5.3.2 | 1 / 5 | |
| 5.3.1 | 1 / 5 | |
| 5.3.0 | 1 / 5 | |
| 5.2.0 | 1 / 5 | |
| 5.1.0 | 1 / 5 | |
| 5.0.5 | 1 / 5 | |
| 5.0.4 | 1 / 5 | |
| 5.0.3 | 1 / 5 | |
| 5.0.2 | 1 / 5 | |
| 5.0.1 | 1 / 5 | |
| 5.0.0 | 1 / 5 | |
| 4.0.0 | 0 / 5 | |
| 3.3.0 | 0 / 5 | |
| 3.2.0 | 0 / 5 | |
| 3.1.0 | 0 / 5 | |
| 3.0.0 | 0 / 11 | |
| 2.0.4 | 1 / 11 | |
| 2.0.3 | 0 / 11 | |
| 2.0.2 | 2 / 8 | |
| 2.0.1 | 2 / 8 | |
| 2.0.0 | 2 / 8 | |
| 1.0.0 | 2 / 28 |
v1.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.