All @algolia/client-search versions

@algolia/[email protected] rejected Risk: 76 No license

@algolia/client-search @4.27.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Tarball
76
Risk Score
License
No
Install Scripts
3
Dependencies
0
Dev Dependencies
29.9 KB
Package Size
Published

Maintainers

haroenvshortcutseric-zahariafluf

Dependencies (3)

PackageConstraintRegistry Status
@algolia/transporter 4.27.0 auto_approved
@algolia/client-common 4.27.0 auto_approved
@algolia/requester-common 4.27.0 auto_approved

Transitive Dependency Tree

5 transitive deps max depth 2
  ├─ @algolia/client-common 4.27.0
  ├─ @algolia/requester-common 4.27.0 → 4.27.0
├─ @algolia/transporter 4.27.0 → 4.27.0
  ├─ @algolia/cache-common 4.27.0 → 4.27.0
  ├─ @algolia/logger-common 4.27.0 → 4.27.0
  ├─ @algolia/requester-common 4.27.0 → 4.27.0

Changes from v5.49.1

Dependency Changes

ChangePackageVersion
added @algolia/transporter 4.27.0
added @algolia/requester-common 4.27.0
removed @algolia/requester-fetch 5.49.1
removed @algolia/requester-node-http 5.49.1
removed @algolia/requester-browser-xhr 5.49.1
changed @algolia/client-common 5.49.1 → 4.27.0

Script Changes

- build- clean- test:bundle

File Changes

3 added 25 removed 2 modified size delta: -3027.3 KB

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
regressed-provenance provenance reject AI AI (provenance): Provenance regression is a persistent signal for this package — any version published without CI/CD attestation after a history of attested releases should be rejected.
missing-githead provenance reject AI AI (provenance): Missing gitHead after a history of having it indicates a changed publish environment, consistent with unauthorized access.
publisher-changed provenance reject AI AI (provenance): Publisher changed from GitHub Actions to a human account with no prior publishing history; this generalizes as a disqualifier unless the transition is formally verified.

SAST Findings (3)

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: eric-zaharia.

HIGH Publisher changed: GitHub Actions → eric-zaharia (on 2026-02-27) provenance

This version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.

Review Summary

Risk score: 76. Findings: 2 high (+50), 2 medium (+20), 2 low (+6), 2 info (+0).

Published to npm: