All @algolia/client-analytics versions
@algolia/client-analytics @4.26.0
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
54
Risk Score
—
License
No
Install Scripts
4
Dependencies
0
Dev Dependencies
2.5 KB
Package Size
Published
Maintainers
haroenvshortcutsfluf
Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| @algolia/transporter | 4.26.0 | auto_approved |
| @algolia/client-common | 4.26.0 | auto_approved |
| @algolia/client-search | 4.26.0 | auto_approved |
| @algolia/requester-common | 4.26.0 | auto_approved |
Transitive Dependency Tree
6 transitive deps
max depth 2
├─
@algolia/client-common
4.26.0
├─
@algolia/client-search
4.26.0
├─
@algolia/requester-common
4.26.0
→ 4.26.0
├─
@algolia/transporter
4.26.0
→ 4.26.0
├─
@algolia/cache-common
4.26.0
→ 4.26.0
├─
@algolia/logger-common
4.26.0
→ 4.26.0
├─
@algolia/requester-common
4.26.0
→ 4.26.0
Changes from v5.43.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | @algolia/transporter | 4.26.0 |
| added | @algolia/client-search | 4.26.0 |
| added | @algolia/requester-common | 4.26.0 |
| removed | @algolia/requester-fetch | 5.43.0 |
| removed | @algolia/requester-node-http | 5.43.0 |
| removed | @algolia/requester-browser-xhr | 5.43.0 |
| changed | @algolia/client-common | 5.43.0 → 4.26.0 |
Script Changes
- build- clean- test:bundleFile Changes
3 added
25 removed
2 modified
size delta: -1450.7 KB
Risk Dispositions (3 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
missing-githead |
provenance | reject | AI | AI (provenance): Previous versions had gitHead; its absence here combined with publisher change indicates a non-standard publish environment, consistent with compromise. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Publisher changed from the established 'shortcuts' account to 'fluf', a new account with no prior packages. This is a persistent red flag for this package. | |
dormant-publish |
publish-pattern | reject | AI | AI (publish-pattern): 2261 days of inactivity before this publish on a package with an active v5.x line is a strong account-takeover indicator that generalizes to any future v4.x publishes from this account. |
SAST Findings (3)
HIGH
Missing gitHead — previous versions had it
provenance
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: fluf.
HIGH
Publisher changed: shortcuts → fluf (on 2026-02-17)
provenance
This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 54. Findings: 1 high (+25), 2 medium (+20), 3 low (+9), 2 info (+0).
Published to npm: