← Home

@adobe/magento-storefront-event-collector

npm Repository Homepage

Event Collectors for Adobe Commerce storefronts

5
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

marbectripodgarthdblazdadobe-adminpatrickfultontrieloffshazronkrisnyedcpfsdknatebaldwindevongovettaspro83symanovidpfisterstefan-guggisbergrofekptdobeadobehallsfullcolorcoderdjaeggidylandepassmhaackamol-anandstopp-adobedotenduh_schmidtasthabh23zdahbituicufmeschbe

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern dormant-publish AI (publish-pattern): Established Adobe org package with consistent metadata; dormancy likely reflects release cadence, not account takeover. ai
dependencies unvetted-dep:@adobe/alloy AI (dependencies): First-party Adobe dependency; consistent with this package's documented Adobe Commerce integration. ai
dependencies unvetted-dep:@adobe/adobe-client-data-layer AI (dependencies): First-party Adobe dependency; stable pattern across all versions of this package. ai
phantom-deps phantom-dep:@snowplow/browser-plugin-performance-timing AI (phantom-deps): Referenced in config files; stable false positive for this bundled package. ai
phantom-deps phantom-dep:@adobe/alloy AI (phantom-deps): Same Adobe org scope; likely consumed via bundled output rather than direct import. ai
phantom-deps phantom-dep:@snowplow/browser-plugin-link-click-tracking AI (phantom-deps): Referenced in config files; stable false positive for this bundled package. ai
phantom-deps phantom-dep:@adobe/adobe-client-data-layer AI (phantom-deps): Same Adobe org scope; consistent with bundled event-collector pattern. ai
phantom-deps phantom-dep:@snowplow/browser-tracker AI (phantom-deps): Referenced in config files per finding; not a direct import but a legitimate peer/bundled dep. ai

Versions (showing 5 of 5)

Version Deps Published
1.17.0 6 / 19
1.16.0 6 / 19
1.15.0 6 / 19
1.14.1 6 / 19
1.14.0 6 / 19

v1.17.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.15.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.14.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.14.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.