@adobe-commerce/elsie — Greenflagged

Domain Package SDK

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

grahamcrackerskaydenalthendepatilr48patelwbrandon_adobeadobe-commerce-ops

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:src/shims/importmap.js	AI (source-diff): File is the standard es-module-shims polyfill bundle; minification is expected for this shim.	ai	2026/05/17
dependencies	unvetted-dep:@storybook/addon-webpack5-compiler-babel	AI (dependencies): Storybook addon; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:@types/preact-i18n	AI (dependencies): TypeScript type definitions; no runtime risk.	ai	2026/05/17
dependencies	unvetted-dep:jest-preset-preact	AI (dependencies): Test tooling; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:vite-plugin-banner	AI (dependencies): Build plugin; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:eslint-config-preact	AI (dependencies): Lint config; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:@testing-library/preact	AI (dependencies): Test tooling; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:@storybook/addon-coverage	AI (dependencies): Storybook addon; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:@storybook/preact-webpack5	AI (dependencies): Storybook integration; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:babel-plugin-tsconfig-paths	AI (dependencies): Babel plugin for build; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:graphql-codegen-typescript-mock-data	AI (dependencies): GraphQL codegen tooling; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:axe-playwright	AI (dependencies): Dev/test tooling for accessibility testing; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:optimize-plugin	AI (dependencies): Build optimization plugin; consistent with SDK build tool purpose.	ai	2026/05/17
dependencies	unvetted-dep:@types/css-modules	AI (dependencies): TypeScript type definitions; no runtime risk.	ai	2026/05/17
phantom-deps	phantom-dep:storybook	AI (phantom-deps): Storybook tooling declared as dep, referenced in config files — expected for SDK.	ai	2026/05/06
phantom-deps	phantom-dep:eslint	AI (phantom-deps): Tooling dep loaded via config; stable FP for this SDK.	ai	2026/05/06
phantom-deps	phantom-dep:rimraf	AI (phantom-deps): CLI utility invoked via scripts; stable FP.	ai	2026/05/06
phantom-deps	phantom-dep:core-js	AI (phantom-deps): Known implicit runtime dep; stable FP.	ai	2026/05/06
phantom-deps	phantom-dep:webpack	AI (phantom-deps): Build tooling loaded via config; stable FP.	ai	2026/05/06
phantom-deps	phantom-dep:typescript	AI (phantom-deps): Tooling dep; stable FP for this SDK.	ai	2026/05/06
phantom-deps	phantom-dep:jest	AI (phantom-deps): Build tooling declared as dep but loaded via config convention; stable FP for this SDK.	ai	2026/05/06
semgrep	semgrep:child-process-import	AI (semgrep): CLI tool that spawns build commands; child_process use is expected and documented.	ai	2026/04/30
semgrep	semgrep:dynamic-require	AI (semgrep): Config-loader pattern in bin/lib/config.js; loads user-specified config paths, not arbitrary remote code.	ai	2026/04/30