All @algolia/requester-browser-xhr versions
@algolia/requester-browser-xhr @4.26.0
Maintainers
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| @algolia/requester-common | 4.26.0 | auto_approved |
Transitive Dependency Tree
Changes from v5.48.1
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | @algolia/requester-common | 4.26.0 |
| removed | @algolia/client-common | 5.48.1 |
Script Changes
- test- build- clean- test:bundleFile Changes
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Loss of CI/CD provenance attestation on an established package is a strong supply-chain compromise indicator; generalizes to any version published without attestation after prior versions had it. | |
publisher-changed |
provenance | reject | AI | AI (provenance): Switch from GitHub Actions to manual human publish (fluf) on this package is anomalous and consistent with account compromise; should be re-evaluated if CI publishing is restored. |
SAST Findings (3)
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: fluf.
This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Review Summary
Risk score: 60. Findings: 2 high (+50), 1 medium (+10), 2 info (+0).
Published to npm: