← Home

@eeacms/volto-searchlib

npm Repository Homepage
8
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

demarantavoineatiberiuichimzotyaalecghicaeea-jenkinsrazvan.miuichimdavvalentinab25nileshgulia1

Keywords

volto-addonvoltoplonereact

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@elastic/react-search-ui-views AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:http-proxy-middleware AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:react-masonry-component AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:@eeacms/volto-design-tokens AI (phantom-deps): Same-org scoped dependency; stable pattern for this package. ai
phantom-deps phantom-dep:deep-equal AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:node-fetch AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:svg-loader AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:@visx/group AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:@visx/scale AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:@visx/shape AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:lodash.uniq AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:fast-deep-equal AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:lodash.clonedeep AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
phantom-deps phantom-dep:lodash.isfunction AI (phantom-deps): Config-referenced dependency; stable pattern for this package. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IP is a default localhost Elasticsearch host constant (0.0.0.0:9200), not exfiltration. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in .eslintrc.js loads a tsconfig path for ESLint alias resolution; standard build tooling pattern. ai
install-scripts install-script:postinstall AI (install-scripts): Postinstall only patches an import in a sibling EEA package; no network access, fully auditable inline code. ai

Versions (showing 8 of 8)

Version Deps Published
4.1.1 39 / 8
4.0.3 38 / 8
4.0.2 38 / 8
4.0.1 38 / 8
3.0.3 38 / 8
3.0.2 38 / 8
3.0.1 38 / 8
3.0.0 38 / 8

v4.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.3

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node -e "const fs=require('fs'); const path=require('path'); let file; try { file=path.join(path.dirname(require.resolve('@eeacms/volto-eea-chatbot/package.json')), 'src/ChatBlock/chat/AIMessage.tsx'); } catch (error) { process.exit(0); } const from=\"import visit from 'unist-util-visit';\"; const to=\"import { visit } from 'unist-util-visit';\"; const source=fs.readFileSync(file, 'utf8'); if (source.includes(from) && !source.includes(to)) { fs.writeFileSync(file, source.replace(from, to)); }"

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.