@commercetools-frontend/application-components
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/custom-views-selector-b3e2845a.cjs.dev.js | AI (source-diff): Standard bundled CJS output from commercetools monorepo CI; long-line pattern is minified build artifact, not obfuscation. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Automated CI/CD release pipeline with SLSA provenance; rapid publishes are expected for this monorepo. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-1481038a.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output for this package; long lines are minified but imports are all known safe dependencies. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-e0098ddd.cjs.dev.js | AI (source-diff): Standard minified dist bundle from established commercetools monorepo; long lines are normal bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-b959c0cc.cjs.dev.js | AI (source-diff): Standard Babel-compiled CJS dist output with readable imports; consistent with this package's build pattern. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-9b8fd19f.cjs.dev.js | AI (source-diff): Standard Babel-bundled CJS dist output; long lines are minified bundle artifact, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-669191da.cjs.dev.js | AI (source-diff): Standard Babel/Emotion bundled output; long lines are minified imports, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-f14d7170.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output for a React component library; long lines are from bundler, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-IhV67to_.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output for a commercetools UI package; long lines are from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/public-page-layout-_DPNwPKP.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output; inline source maps and Emotion CSS-in-JS patterns explain long lines. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-20492897.cjs.dev.js | AI (source-diff): Standard bundled CJS dist file from commercetools monorepo; long lines are Babel/Emotion output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-4eb40fd2.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output with inline source maps; long lines are from base64 source map data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-9bd7baee.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output for this package; long lines are bundler artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-bbe84aa3.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output for a long-established commercetools package; long lines are from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-b5b11b25.cjs.dev.js | AI (source-diff): Standard bundled dist output for this commercetools package; long lines are minified CJS, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-dfbd2d10.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output for this package; long lines are bundle artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-bc0fa19e.cjs.dev.js | AI (source-diff): Standard bundled CJS dist output for this commercetools monorepo package; long lines are from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/public-page-layout-b92fb7e4.cjs.dev.js | AI (source-diff): Standard Babel/Emotion CJS bundle with inline sourcemaps; long lines are bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-8cde3a16.cjs.dev.js | AI (source-diff): Standard Babel/Emotion CJS bundle with inline sourcemaps; long lines are bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/custom-views-selector-71abb548.cjs.dev.js | AI (source-diff): Standard Babel/Emotion compiled bundle with readable imports and inline sourcemaps; not obfuscated. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from manual npm publish to GitHub Actions CI/CD with SLSA attestation; legitimate for this org. | ai | |
| source-diff | obfuscated-file:dist/public-page-layout-c0f5e884.cjs.dev.js | AI (source-diff): Standard Babel/Emotion compiled bundle with readable imports and inline sourcemaps; not obfuscated. | ai | |
| phantom-deps | phantom-dep:@commercetools-frontend/l10n | AI (phantom-deps): Same-org sibling dep declared in package.json; stable false positive. | ai | |
| phantom-deps | phantom-dep:@commercetools-uikit/label | AI (phantom-deps): Same-org sibling dep declared in package.json; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react-router-dom | AI (phantom-deps): Framework-scoped type package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@react-hook/latest | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@types/prop-types | AI (phantom-deps): Framework-scoped type package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): Framework-scoped type package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/history | AI (phantom-deps): Framework-scoped type package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): Framework-scoped type package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework-scoped type package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:raf-schd | AI (phantom-deps): Declared runtime dep used transitively; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@commercetools-frontend/application-config | AI (phantom-deps): Same-org sibling dep declared in package.json; stable false positive. | ai | |
| phantom-deps | phantom-dep:@commercetools-uikit/messages | AI (phantom-deps): Same-org sibling dep declared in package.json; stable false positive. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 27.6.2 | 43 / 12 | |
| 27.6.1 | 43 / 12 | |
| 27.6.0 | 43 / 12 | |
| 27.5.4 | 43 / 12 | |
| 27.5.3 | 43 / 12 | |
| 27.5.2 | 43 / 12 | |
| 27.5.1 | 43 / 12 | |
| 27.5.0 | 43 / 12 | |
| 27.4.2 | 43 / 12 | |
| 27.4.1 | 43 / 12 | |
| 27.4.0 | 43 / 12 | |
| 27.3.0 | 43 / 12 | |
| 27.2.0 | 43 / 12 | |
| 27.1.0 | 43 / 12 | |
| 27.0.0 | 43 / 12 | |
| 26.1.0 | 43 / 12 | |
| 26.0.2 | 43 / 12 | |
| 26.0.1 | 43 / 12 | |
| 26.0.0 | 43 / 12 | |
| 25.2.0 | 43 / 12 | |
| 25.1.0 | 43 / 12 | |
| 25.0.0 | 43 / 12 | |
| 24.13.0 | 43 / 12 | |
| 24.12.0 | 43 / 12 | |
| 24.11.0 | 43 / 12 | |
| 24.10.0 | 43 / 12 |
v27.6.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.6.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.5.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.5.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.5.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.5.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v27.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.0.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.0.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.2.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.0
4 findingsThis version was published by a different npm account than previous versions on 2026-01-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.