All @algolia/recommend versions

@algolia/[email protected] rejected Risk: 92 No license

@algolia/recommend @4.27.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Tarball
92
Risk Score
License
No
Install Scripts
11
Dependencies
0
Dev Dependencies
19.3 KB
Package Size
Published

Maintainers

haroenvshortcutseric-zahariafluf

Dependencies (11)

PackageConstraintRegistry Status
@algolia/transporter 4.27.0 auto_approved
@algolia/cache-common 4.27.0 auto_approved
@algolia/client-common 4.27.0 auto_approved
@algolia/client-search 4.27.0 auto_approved
@algolia/logger-common 4.27.0 auto_approved
@algolia/logger-console 4.27.0 auto_approved
@algolia/cache-in-memory 4.27.0 auto_approved
@algolia/requester-common 4.27.0 auto_approved
@algolia/requester-node-http 4.27.0 auto_approved
@algolia/requester-browser-xhr 4.27.0 auto_approved
@algolia/cache-browser-local-storage 4.27.0 auto_approved

Transitive Dependency Tree

11 transitive deps max depth 2
  ├─ @algolia/cache-browser-local-storage 4.27.0 → 4.27.0
  ├─ @algolia/cache-common 4.27.0 → 4.27.0
  ├─ @algolia/cache-in-memory 4.27.0 → 4.27.0
  ├─ @algolia/client-common 4.27.0
  ├─ @algolia/client-search 4.27.0
  ├─ @algolia/logger-common 4.27.0 → 4.27.0
  ├─ @algolia/logger-console 4.27.0
  ├─ @algolia/requester-browser-xhr 4.27.0
  ├─ @algolia/requester-common 4.27.0 → 4.27.0
  ├─ @algolia/requester-node-http 4.27.0
├─ @algolia/transporter 4.27.0 → 4.27.0
  ├─ @algolia/cache-common 4.27.0 → 4.27.0
  ├─ @algolia/logger-common 4.27.0 → 4.27.0
  ├─ @algolia/requester-common 4.27.0 → 4.27.0

Changes from v5.49.1

Dependency Changes

ChangePackageVersion
added @algolia/transporter 4.27.0
added @algolia/cache-common 4.27.0
added @algolia/client-search 4.27.0
added @algolia/logger-common 4.27.0
added @algolia/logger-console 4.27.0
added @algolia/cache-in-memory 4.27.0
added @algolia/requester-common 4.27.0
added @algolia/cache-browser-local-storage 4.27.0
removed @algolia/requester-fetch 5.49.1
changed @algolia/client-common 5.49.1 → 4.27.0
changed @algolia/requester-node-http 5.49.1 → 4.27.0
changed @algolia/requester-browser-xhr 5.49.1 → 4.27.0

Script Changes

+ test:exports - build- clean- test:bundle

File Changes

4 added 23 removed 4 modified size delta: -773.8 KB

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
regressed-provenance provenance reject AI AI (provenance): Provenance regression from CI/CD to manual publish is a strong supply-chain compromise indicator; generalizes to any future version published without attestation.
missing-githead provenance reject AI AI (provenance): Loss of gitHead alongside publisher change and provenance regression confirms out-of-band manual publish; generalizes as a disqualifier.
publisher-changed provenance reject AI AI (provenance): Publisher changed from GitHub Actions to a human account (eric-zaharia) with no prior publish history; strong account compromise signal.

SAST Findings (3)

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: eric-zaharia.

HIGH Publisher changed: GitHub Actions → eric-zaharia (on 2026-02-27) provenance

This version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.

Review Summary

Risk score: 92. Findings: 2 high (+50), 3 medium (+30), 4 low (+12), 1 info (+0).

Published to npm: