@coveo/headless
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@coveo/relay-event-types | AI (phantom-deps): Same-org @coveo/relay-event-types dependency; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:ts-debounce | AI (phantom-deps): ts-debounce is a well-known debounce utility; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:@coveo/relay | AI (phantom-deps): Same-org @coveo/relay dependency; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:coveo.analytics | AI (phantom-deps): coveo.analytics is Coveo's own analytics library; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:@reduxjs/toolkit | AI (phantom-deps): @reduxjs/toolkit is a standard Redux library; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:exponential-backoff | AI (phantom-deps): exponential-backoff is a well-known retry utility; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:node-abort-controller | AI (phantom-deps): node-abort-controller is a legitimate AbortController polyfill used in bundled dist output; phantom-dep fires because static analysis can't trace bundled imports in this large library. | ai | |
| dependencies | unvetted-dep:node-abort-controller | AI (dependencies): node-abort-controller 3.1.1 is a well-known Node.js AbortController polyfill; pinned version, legitimate use in a headless search library. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): dayjs is a well-known date library; phantom-dep fires due to bundled dist pattern in this library. | ai | |
| phantom-deps | phantom-dep:fast-equals | AI (phantom-deps): fast-equals is a well-known equality library; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:redux-thunk | AI (phantom-deps): redux-thunk is a standard Redux middleware; phantom-dep fires due to bundled dist pattern. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from human account (pixhel) to GitHub Actions CI/CD publishing is a legitimate security improvement for this established Coveo package, corroborated by SLSA provenance attestation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Active SDK with many sub-packages (commerce, SSR, insight, etc.); new source files are consistent with feature growth. No obfuscation or suspicious patterns flagged. | ai | |
| phantom-deps | phantom-dep:navigator.sendbeacon | AI (phantom-deps): navigator.sendbeacon is a well-known browser API polyfill; declared in package.json and referenced via config is expected for this library. | ai | |
| phantom-deps | phantom-dep:abortcontroller-polyfill | AI (phantom-deps): abortcontroller-polyfill is a legitimate polyfill; config-only reference is a standard pattern for conditionally bundled polyfills. | ai | |
| phantom-deps | phantom-dep:headers-polyfill | AI (phantom-deps): headers-polyfill is a legitimate polyfill declared in package.json and referenced via config; this pattern is stable for this package. | ai |
Versions (showing 51 of 68)
| Version | Deps | Published |
|---|---|---|
| 3.51.4 | 15 / 5 | |
| 3.51.3 | 15 / 5 | |
| 3.51.2 | 15 / 5 | |
| 3.51.1 | 15 / 5 | |
| 3.51.0 | 15 / 5 | |
| 3.50.1 | 15 / 5 | |
| 3.50.0 | 15 / 5 | |
| 3.49.4 | 15 / 5 | |
| 3.49.3 | 15 / 5 | |
| 3.49.2 | 15 / 5 | |
| 3.49.1 | 15 / 5 | |
| 3.49.0 | 15 / 5 | |
| 3.48.1 | 15 / 5 | |
| 3.48.0 | 15 / 5 | |
| 3.47.2 | 15 / 5 | |
| 3.47.1 | 15 / 5 | |
| 3.47.0 | 15 / 5 | |
| 3.46.1 | 15 / 5 | |
| 3.46.0 | 15 / 5 | |
| 3.45.1 | 14 / 5 | |
| 3.45.0 | 14 / 5 | |
| 3.44.0 | 14 / 5 | |
| 3.43.0 | 14 / 5 | |
| 3.42.1 | 14 / 5 | |
| 3.42.0 | 14 / 5 | |
| 3.41.1 | 14 / 5 | |
| 3.41.0 | 14 / 5 | |
| 3.40.0 | 14 / 5 | |
| 3.39.0 | 14 / 5 | |
| 3.38.0 | 14 / 5 | |
| 3.37.0 | 14 / 5 | |
| 3.36.0 | 14 / 5 | |
| 3.35.4 | 14 / 5 | |
| 3.35.3 | 14 / 5 | |
| 3.35.2 | 14 / 5 | |
| 3.35.1 | 14 / 5 | |
| 3.35.0 | 14 / 5 | |
| 3.34.2 | 14 / 5 | |
| 3.34.1 | 14 / 5 | |
| 3.34.0 | 13 / 4 | |
| 3.29.2 | 14 / 5 | |
| 3.29.1 | 14 / 5 | |
| 3.29.0 | 14 / 5 | |
| 3.28.4 | 14 / 5 | |
| 3.28.3 | 14 / 5 | |
| 3.28.2 | 14 / 5 | |
| 3.28.1 | 14 / 5 | |
| 3.28.0 | 14 / 5 | |
| 3.27.7 | 14 / 5 | |
| 3.27.6 | 14 / 5 | |
| 3.27.5 | 14 / 5 |
v3.51.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.50.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.50.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.46.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.46.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.45.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.45.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.44.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.43.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.42.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.42.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.40.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.38.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.37.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.36.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.34.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.34.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.