@commercetools-frontend/mc-scripts

Configuration and scripts for developing a MC application

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tdeekensemmenkocommercetools-admin

Keywords

javascriptfrontendreacttoolkit

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/graphql-requests-6ead2029.cjs.prod.js	AI (source-diff): Standard Rollup CJS bundle with Babel polyfill imports; long lines are bundled requires, not obfuscation.	ai	2026/05/24
source-diff	obfuscated-file:dist/graphql-requests-bd7a3fe9.cjs.dev.js	AI (source-diff): Standard Rollup CJS dev bundle; same pattern as prod bundle, not obfuscation.	ai	2026/05/24
source-diff	obfuscated-file:dist/graphql-requests-82ecc296.cjs.dev.js	AI (source-diff): Standard Rollup CJS dev bundle; same pattern as prod bundle, benign build artifact.	ai	2026/05/24
source-diff	obfuscated-file:dist/graphql-requests-5754c65e.cjs.prod.js	AI (source-diff): Standard Rollup CJS prod bundle with readable imports; long lines from bundling, not obfuscation.	ai	2026/05/24
source-diff	obfuscated-file:dist/graphql-requests-D0rtMo7K.cjs.prod.js	AI (source-diff): Standard Rollup CJS prod build artifact with readable imports; long lines from bundled code, not obfuscation.	ai	2026/05/18
source-diff	obfuscated-file:dist/graphql-requests-BeUd4g3v.cjs.dev.js	AI (source-diff): Standard Rollup CJS dev build artifact with readable imports; long lines from bundled code, not obfuscation.	ai	2026/05/18
source-diff	obfuscated-file:dist/graphql-requests-86c87041.cjs.dev.js	AI (source-diff): Standard rollup CJS dev bundle; same pattern as prod bundle. Stable false positive for this package.	ai	2026/05/18
source-diff	obfuscated-file:dist/graphql-requests-4c97fe92.cjs.prod.js	AI (source-diff): Standard rollup CJS bundle with readable imports; long lines are from bundling, not obfuscation. Stable pattern for this package.	ai	2026/05/18
source-diff	obfuscated-file:dist/graphql-requests-eb88492d.cjs.prod.js	AI (source-diff): Standard Babel CJS prod build artifact; same pattern as dev variant, not obfuscation.	ai	2026/05/07
source-diff	obfuscated-file:dist/graphql-requests-25e057ed.cjs.dev.js	AI (source-diff): Standard Babel CJS build artifact; long lines from bundled polyfill imports, not obfuscation.	ai	2026/05/07
dependencies	unvetted-dep:vite-plugin-clean-build	AI (dependencies): Build-time Vite plugin with no install scripts or malware indicators; low risk for this established package.	ai	2026/05/06
dependencies	unvetted-dep:@types/svgo	AI (dependencies): Type-only package for svgo; no runtime risk, stable for this build tooling package.	ai	2026/05/01
dependencies	unvetted-dep:@rollup/plugin-graphql	AI (dependencies): Official @rollup scoped build plugin; low risk for a build tooling package.	ai	2026/05/01
phantom-deps	phantom-dep:babel-plugin-formatjs	AI (phantom-deps): Babel plugin loaded by convention in build config.	ai	2026/04/30
phantom-deps	phantom-dep:babel-plugin-react-compiler	AI (phantom-deps): Babel plugin loaded by convention in build config.	ai	2026/04/30
phantom-deps	phantom-dep:moment	AI (phantom-deps): Build tool; phantom deps are convention-loaded plugins, not missing imports.	ai	2026/04/30
phantom-deps	phantom-dep:@babel/plugin-proposal-do-expressions	AI (phantom-deps): Babel plugin loaded by convention in build config.	ai	2026/04/30
phantom-deps	phantom-dep:@commercetools-frontend/application-components	AI (phantom-deps): Same-org package; phantom dep heuristic is a false positive here.	ai	2026/04/30
phantom-deps	phantom-dep:@types/webpack-bundle-analyzer	AI (phantom-deps): Type-only package; not directly imported by design.	ai	2026/04/30
phantom-deps	phantom-dep:postcss	AI (phantom-deps): Build tool; postcss loaded by webpack/rollup config convention.	ai	2026/04/30
phantom-deps	phantom-dep:shelljs	AI (phantom-deps): Scripts package; shelljs used in CLI scripts loaded by convention.	ai	2026/04/30
phantom-deps	phantom-dep:prettier	AI (phantom-deps): Build/scripts tool; prettier referenced in config files by convention.	ai	2026/04/30
phantom-deps	phantom-dep:node-fetch	AI (phantom-deps): Scripts package; node-fetch used in CLI utilities by convention.	ai	2026/04/30
phantom-deps	phantom-dep:@babel/core	AI (phantom-deps): Framework-scoped babel package; loaded by convention in build tooling.	ai	2026/04/30
phantom-deps	phantom-dep:@types/svgo	AI (phantom-deps): Type-only package; not directly imported by design.	ai	2026/04/30
phantom-deps	phantom-dep:json-loader	AI (phantom-deps): Webpack loader referenced in config files by convention.	ai	2026/04/30
phantom-deps	phantom-dep:browserslist	AI (phantom-deps): Referenced in build config files by convention.	ai	2026/04/30
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): Framework-scoped; loaded by babel transforms by convention.	ai	2026/04/30
phantom-deps	phantom-dep:@types/prompts	AI (phantom-deps): Type-only package; not directly imported by design.	ai	2026/04/30
phantom-deps	phantom-dep:@svgr/babel-preset	AI (phantom-deps): Babel preset loaded by convention in build config.	ai	2026/04/30
phantom-deps	phantom-dep:@emotion/babel-plugin	AI (phantom-deps): Babel plugin loaded by convention in build config.	ai	2026/04/30

Versions (showing 20 of 20)

Version	Deps	Published
27.5.3	77 / 12	2026-05-12
27.5.2	77 / 12	2026-05-11
27.5.1	77 / 12	2026-05-07
27.5.0	77 / 12	2026-05-05
27.4.2	77 / 12	2026-04-22
27.4.1	77 / 13	2026-04-16
27.4.0	77 / 13	2026-04-13
27.3.0	77 / 13	2026-04-13
27.2.0	77 / 13	2026-03-31
27.1.0	77 / 13	2026-03-23
27.0.0	77 / 13	2026-03-11
26.1.0	77 / 13	2026-02-25
26.0.1	77 / 13	2026-02-19
26.0.0	77 / 13	2026-02-11
25.2.0	77 / 13	2026-02-04
25.1.0	76 / 12	2026-01-13
25.0.0	76 / 12	2026-01-08
24.13.0	76 / 14	2025-12-15
24.12.0	76 / 14	2025-12-09
24.10.0	76 / 14	2025-10-31

v27.5.3

3 findings

HIGH New obfuscated file: dist/graphql-requests-BeUd4g3v.cjs.dev.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/graphql-requests-D0rtMo7K.cjs.prod.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.5.2

3 findings

HIGH New obfuscated file: dist/graphql-requests-5754c65e.cjs.prod.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/graphql-requests-82ecc296.cjs.dev.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.5.1

3 findings

HIGH New obfuscated file: dist/graphql-requests-6ead2029.cjs.prod.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/graphql-requests-bd7a3fe9.cjs.dev.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.5.0

3 findings

HIGH New obfuscated file: dist/graphql-requests-4c97fe92.cjs.prod.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/graphql-requests-86c87041.cjs.dev.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.4.1

3 findings

HIGH New obfuscated file: dist/graphql-requests-25e057ed.cjs.dev.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/graphql-requests-eb88492d.cjs.prod.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v26.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v26.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v26.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v25.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v25.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v25.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v24.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v24.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v24.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.