@coveo/quantic
A Salesforce Lightning Web Component (LWC) library for building modern UIs interfacing with the Coveo platform
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Coveo migrated publishing to GitHub Actions CI; removal of human maintainers is expected org-level automation change. | ai | |
| provenance | missing-githead | AI (provenance): Package has SLSA provenance attestation; missing gitHead is a minor CI config change, not a supply chain risk for this established package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Coveo org package with SLSA provenance; CI/CD publisher and no material changes from prior version. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Listed as runtime dep; used in LWC components via config, not direct JS import — false positive for this package. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Runs local check-sfdx-project.js; standard SFDX project validation, stable for this Salesforce LWC package. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Listed as runtime dep; used in LWC components via config, not direct JS import — false positive for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Runs local setup-quantic.js; documented Salesforce LWC setup step, stable for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires inside bundled headless.js UMD wrapper — standard module pattern, not a security concern. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 3.38.0 | 5 / 23 | |
| 3.37.10 | 5 / 23 | |
| 3.37.9 | 5 / 23 | |
| 3.37.8 | 5 / 23 | |
| 3.37.7 | 5 / 23 | |
| 3.37.6 | 5 / 23 | |
| 3.37.1 | 5 / 23 | |
| 3.30.1 | 5 / 30 | |
| 3.29.7 | 5 / 29 | |
| 3.28.1 | 5 / 29 | |
| 3.26.1 | 5 / 30 | |
| 3.23.0 | 5 / 30 | |
| 3.22.2 | 5 / 30 | |
| 3.22.0 | 5 / 30 | |
| 3.21.1 | 5 / 30 | |
| 3.21.0 | 5 / 30 | |
| 3.20.1 | 5 / 30 |
v3.38.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v3.37.10
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v3.37.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.37.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.37.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.37.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.30.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.22.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.