@cloudcommerce/ssr
e-com.plus Cloud Commerce storefront SSR
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:html-minifier | AI (dependencies): Long-standing dependency in this package; stable usage pattern across many versions. | ai | |
| dependencies | unvetted-dep:@ecomplus/utils | AI (dependencies): Same org dependency (@ecomplus); stable across many versions of this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Org-scoped SSR package; README style is consistent across the monorepo, not a spam indicator. | ai | |
| phantom-deps | phantom-dep:mitt | AI (phantom-deps): Event emitter used via config/runtime; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): YAML used in config processing; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:mrmime | AI (phantom-deps): MIME utility used indirectly; stable false positive for this SSR package. | ai | |
| phantom-deps | phantom-dep:astro-capo | AI (phantom-deps): Astro integration referenced in config; stable false positive. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @cloudcommerce/ssr vs 'qs' is a meaningless levenshtein match; no impersonation risk. | ai | |
| phantom-deps | phantom-dep:@astrojs/node | AI (phantom-deps): Astro Node adapter referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ecomplus/utils | AI (phantom-deps): Utility package used at runtime; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@cloudcommerce/i18n | AI (phantom-deps): Same-org sibling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): VueUse composables used in templates/config; stable false positive. | ai | |
| phantom-deps | phantom-dep:astro | AI (phantom-deps): Astro is a framework dependency referenced in config files; normal for SSR packages. | ai | |
| phantom-deps | phantom-dep:vue | AI (phantom-deps): Vue referenced in config/templates; standard for Astro+Vue SSR setup. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 2.59.5 | 16 / 4 | |
| 2.58.1 | 16 / 4 | |
| 2.48.15 | 16 / 4 | |
| 2.48.2 | 16 / 4 | |
| 2.44.7 | 16 / 4 | |
| 2.44.0 | 16 / 4 | |
| 2.43.1 | 16 / 4 | |
| 2.42.5 | 16 / 4 | |
| 2.42.4 | 16 / 4 |
v2.59.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.58.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.48.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.48.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.44.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.44.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.43.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.42.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.42.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.