← Home

@bigcommerce/checkout-sdk

npm Repository Homepage

BigCommerce Checkout JavaScript SDK

7
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bcnpmuserchanceaclarkjairobcjmwiesejorgemoyacilotoma-rdavidchin

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@braintree/browser-detection AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:yup AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:lodash AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:reselect AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:query-string AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:shallowequal AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:messageformat AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:card-validator AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:iframe-resizer AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:@types/reselect AI (phantom-deps): Framework-scoped type package; stable pattern for this package. ai
phantom-deps phantom-dep:intl-messageformat AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:@types/shallowequal AI (phantom-deps): Framework-scoped type package; stable pattern for this package. ai
phantom-deps phantom-dep:@types/card-validator AI (phantom-deps): Framework-scoped type package; stable pattern for this package. ai
phantom-deps phantom-dep:@types/iframe-resizer AI (phantom-deps): Framework-scoped type package; stable pattern for this package. ai
phantom-deps phantom-dep:local-storage-fallback AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:current-script-polyfill AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
dependencies unvetted-dep:iframe-resizer AI (dependencies): Known utility dep used by this SDK across many versions. ai
dependencies unvetted-dep:@types/reselect AI (dependencies): Type-only dev dep; stable false positive for this package. ai
dependencies unvetted-dep:@bigcommerce/memoize AI (dependencies): First-party BigCommerce dep; stable across versions. ai
dependencies unvetted-dep:@types/card-validator AI (dependencies): Type-only dep; stable false positive for this package. ai
dependencies unvetted-dep:local-storage-fallback AI (dependencies): Known utility dep; stable false positive for this package. ai
dependencies unvetted-dep:@bigcommerce/data-store AI (dependencies): First-party BigCommerce dep; stable across versions. ai
dependencies unvetted-dep:@bigcommerce/form-poster AI (dependencies): First-party BigCommerce dep; stable across versions. ai
dependencies unvetted-dep:@bigcommerce/bigpay-client AI (dependencies): First-party BigCommerce dep; stable across versions. ai
dependencies unvetted-dep:@bigcommerce/script-loader AI (dependencies): First-party BigCommerce dep; stable across versions. ai
dependencies unvetted-dep:@bigcommerce/request-sender AI (dependencies): First-party BigCommerce dep; stable across versions. ai
dependencies unvetted-dep:@braintree/browser-detection AI (dependencies): Known Braintree utility dep; stable false positive for this package. ai
provenance no-provenance AI (provenance): Long-established BigCommerce package; provenance absence is consistent across all prior versions. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): Known implicit TypeScript runtime dep; stable false positive for this package. ai
phantom-deps phantom-dep:core-js AI (phantom-deps): Known polyfill implicit dep; stable false positive for this package. ai
phantom-deps phantom-dep:@bigcommerce/memoize AI (phantom-deps): Same-org dep; stable false positive. ai
phantom-deps phantom-dep:@bigcommerce/bigpay-client AI (phantom-deps): Same-org dep; stable false positive. ai

Versions (showing 7 of 7)

Version Deps Published
1.919.0 25 / 48
1.917.0 25 / 48
1.916.1 25 / 48
1.912.0 25 / 48
1.909.5 25 / 48
1.909.4 25 / 48
1.909.0 25 / 48

v1.919.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.917.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.916.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.912.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.909.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.909.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.909.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.