@coveo/headless
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@coveo/relay-event-types | AI (phantom-deps): Same-org @coveo/relay-event-types dependency; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:ts-debounce | AI (phantom-deps): ts-debounce is a well-known debounce utility; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:@coveo/relay | AI (phantom-deps): Same-org @coveo/relay dependency; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:coveo.analytics | AI (phantom-deps): coveo.analytics is Coveo's own analytics library; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:@reduxjs/toolkit | AI (phantom-deps): @reduxjs/toolkit is a standard Redux library; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:exponential-backoff | AI (phantom-deps): exponential-backoff is a well-known retry utility; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:node-abort-controller | AI (phantom-deps): node-abort-controller is a legitimate AbortController polyfill used in bundled dist output; phantom-dep fires because static analysis can't trace bundled imports in this large library. | ai | |
| dependencies | unvetted-dep:node-abort-controller | AI (dependencies): node-abort-controller 3.1.1 is a well-known Node.js AbortController polyfill; pinned version, legitimate use in a headless search library. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): dayjs is a well-known date library; phantom-dep fires due to bundled dist pattern in this library. | ai | |
| phantom-deps | phantom-dep:fast-equals | AI (phantom-deps): fast-equals is a well-known equality library; phantom-dep fires due to bundled dist pattern. | ai | |
| phantom-deps | phantom-dep:redux-thunk | AI (phantom-deps): redux-thunk is a standard Redux middleware; phantom-dep fires due to bundled dist pattern. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from human account (pixhel) to GitHub Actions CI/CD publishing is a legitimate security improvement for this established Coveo package, corroborated by SLSA provenance attestation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Active SDK with many sub-packages (commerce, SSR, insight, etc.); new source files are consistent with feature growth. No obfuscation or suspicious patterns flagged. | ai | |
| phantom-deps | phantom-dep:navigator.sendbeacon | AI (phantom-deps): navigator.sendbeacon is a well-known browser API polyfill; declared in package.json and referenced via config is expected for this library. | ai | |
| phantom-deps | phantom-dep:abortcontroller-polyfill | AI (phantom-deps): abortcontroller-polyfill is a legitimate polyfill; config-only reference is a standard pattern for conditionally bundled polyfills. | ai | |
| phantom-deps | phantom-dep:headers-polyfill | AI (phantom-deps): headers-polyfill is a legitimate polyfill declared in package.json and referenced via config; this pattern is stable for this package. | ai |
Versions (showing 68 of 68)
| Version | Deps | Published |
|---|---|---|
| 3.51.4 | 15 / 5 | |
| 3.51.3 | 15 / 5 | |
| 3.51.2 | 15 / 5 | |
| 3.51.1 | 15 / 5 | |
| 3.51.0 | 15 / 5 | |
| 3.50.1 | 15 / 5 | |
| 3.50.0 | 15 / 5 | |
| 3.49.4 | 15 / 5 | |
| 3.49.3 | 15 / 5 | |
| 3.49.2 | 15 / 5 | |
| 3.49.1 | 15 / 5 | |
| 3.49.0 | 15 / 5 | |
| 3.48.1 | 15 / 5 | |
| 3.48.0 | 15 / 5 | |
| 3.47.2 | 15 / 5 | |
| 3.47.1 | 15 / 5 | |
| 3.47.0 | 15 / 5 | |
| 3.46.1 | 15 / 5 | |
| 3.46.0 | 15 / 5 | |
| 3.45.1 | 14 / 5 | |
| 3.45.0 | 14 / 5 | |
| 3.44.0 | 14 / 5 | |
| 3.43.0 | 14 / 5 | |
| 3.42.1 | 14 / 5 | |
| 3.42.0 | 14 / 5 | |
| 3.41.1 | 14 / 5 | |
| 3.41.0 | 14 / 5 | |
| 3.40.0 | 14 / 5 | |
| 3.39.0 | 14 / 5 | |
| 3.38.0 | 14 / 5 | |
| 3.37.0 | 14 / 5 | |
| 3.36.0 | 14 / 5 | |
| 3.35.4 | 14 / 5 | |
| 3.35.3 | 14 / 5 | |
| 3.35.2 | 14 / 5 | |
| 3.35.1 | 14 / 5 | |
| 3.35.0 | 14 / 5 | |
| 3.34.2 | 14 / 5 | |
| 3.34.1 | 14 / 5 | |
| 3.34.0 | 13 / 4 | |
| 3.29.2 | 14 / 5 | |
| 3.29.1 | 14 / 5 | |
| 3.29.0 | 14 / 5 | |
| 3.28.4 | 14 / 5 | |
| 3.28.3 | 14 / 5 | |
| 3.28.2 | 14 / 5 | |
| 3.28.1 | 14 / 5 | |
| 3.28.0 | 14 / 5 | |
| 3.27.7 | 14 / 5 | |
| 3.27.6 | 14 / 5 | |
| 3.27.5 | 14 / 5 | |
| 3.27.4 | 15 / 8 | |
| 3.27.3 | 15 / 9 | |
| 3.27.2 | 15 / 9 | |
| 3.27.1 | 15 / 9 | |
| 3.27.0 | 15 / 9 | |
| 3.26.1 | 15 / 9 | |
| 3.26.0 | 15 / 9 | |
| 3.25.2 | 15 / 8 | |
| 3.25.1 | 15 / 8 | |
| 3.25.0 | 15 / 8 | |
| 3.24.1 | 15 / 8 | |
| 3.24.0 | 15 / 8 | |
| 3.23.1 | 15 / 8 | |
| 3.23.0 | 15 / 8 | |
| 3.22.5 | 15 / 8 | |
| 3.22.4 | 15 / 8 | |
| 3.22.2 | 15 / 7 |
v3.51.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.51.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.50.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.50.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.49.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.48.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.46.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.46.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.45.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.45.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.44.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.43.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.42.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.42.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.40.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.38.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.37.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.36.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.34.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.34.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.25.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.25.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.25.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.24.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.23.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.22.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.22.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.22.2
2 findingsDeclared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.