← Home

@eeacms/volto-marine-policy

npm Repository Homepage

@eeacms/volto-marine-policy: Volto add-on

10
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

demarantavoineatiberiuichimzotyaalecghicaeea-jenkinsrazvan.miuichimdavvalentinab25nileshgulia1

Keywords

volto-addonvoltoplonereact

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@plone-collective/volto-authomatic AI (phantom-deps): Listed in addons array in package.json; referenced in config, not direct JS import. ai
phantom-deps phantom-dep:@eeacms/volto-searchlib AI (phantom-deps): Same-org Volto add-on; referenced in config/addon wiring, not a direct JS import by design. ai
phantom-deps phantom-dep:@eeacms/volto-tabs-block AI (phantom-deps): Same-org Volto add-on; referenced in config/addon wiring. ai
phantom-deps phantom-dep:@eeacms/volto-group-block AI (phantom-deps): Same-org Volto add-on; referenced in config/addon wiring. ai
phantom-deps phantom-dep:razzle-plugin-scss AI (phantom-deps): Build plugin referenced in razzle config, not imported directly — expected pattern. ai
phantom-deps phantom-dep:d3-array AI (phantom-deps): Listed in resolutions for transitive dep pinning; not directly imported by design. ai
phantom-deps phantom-dep:react-slick AI (phantom-deps): UI dependency used transitively via add-ons; phantom-dep heuristic false positive. ai
phantom-deps phantom-dep:slick-carousel AI (phantom-deps): CSS/asset dependency for react-slick; not directly imported in JS. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in .eslintrc.js is a standard Volto/Razzle config pattern for resolving tsconfig paths; not a runtime risk. ai

Versions (showing 10 of 10)

Version Deps Published
3.0.2 16 / 8
3.0.1 16 / 8
3.0.0 19 / 8
2.0.41 19 / 9
2.0.40 18 / 9
2.0.39 18 / 9
2.0.38 18 / 9
2.0.37 18 / 9
2.0.36 18 / 9
2.0.35 18 / 9

v3.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.41

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.40

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.39

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.38

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.37

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.36

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.35

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.