stream-chat-react
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/es/useNotificationApi.6fdc3ce7.mjs | AI (source-diff): Bundled React component code with readable imports and region comments; not obfuscated. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): postinstall runs husky (git hooks setup); no-op outside dev context, standard for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are source maps + a new feature bundle (useNotificationApi); consistent with normal release cadence for this large React SDK. | ai | |
| dependencies | unvetted-dep:hast-util-find-and-replace | AI (dependencies): Legitimate hast/rehype ecosystem utility used for markdown processing; consistent with react-markdown dependency. | ai | |
| source-diff | obfuscated-file:dist/cjs/index.js | AI (source-diff): Bundled CJS output with standard imports; not obfuscated. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/es/index.mjs | AI (source-diff): Bundled ESM output with standard imports; not obfuscated. Stable for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher is GitHub Actions with SLSA provenance; standard CI/CD publishing for this org. | ai | |
| source-diff | obfuscated-file:dist/index.browser.cjs | AI (source-diff): Standard esbuild CJS bundle output; readable preamble, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/index.node.cjs | AI (source-diff): Standard esbuild CJS bundle output; readable preamble, not obfuscated. | ai | |
| phantom-deps | phantom-dep:isomorphic-ws | AI (phantom-deps): isomorphic-ws is a declared runtime dep used transitively via stream-chat; phantom-dep heuristic fires but it's legitimately listed. | ai | |
| phantom-deps | phantom-dep:modern-normalize | AI (phantom-deps): CSS dependency referenced in styling config; not a JS import by design. | ai | |
| phantom-deps | phantom-dep:ts-pattern | AI (phantom-deps): Referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; declared as dep for downstream consumers. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 14.4.0 | 25 / 50 | |
| 14.3.0 | 27 / 50 | |
| 14.2.0 | 27 / 50 | |
| 14.1.0 | 28 / 49 | |
| 14.0.1 | 28 / 49 | |
| 14.0.0 | 28 / 49 | |
| 13.14.5 | 27 / 76 | |
| 13.14.4 | 27 / 76 | |
| 3.1.7 | 24 / 85 |
v14.4.0
3 findingsScript: husky
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.0
4 findingsThis version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.14.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.14.4
4 findingsThis version was published by a different npm account than previous versions on 2026-04-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.7
2 findingsMaintainer email '[email protected]' uses domain 'jeltef.nl' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.