← Home

@faststore/core

npm
5
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tlgimeneshellofannyfilipewllucasfjportelaeduardo.formigaguieevcicazevedovictorhmplariciamotaemersonlaurentino

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@graphql-codegen/typescript-operations AI (phantom-deps): Config-file-referenced codegen tooling; stable false positive for this framework package. ai
phantom-deps phantom-dep:fs-extra AI (phantom-deps): Config-file-referenced tooling; stable false positive for this framework package. ai
phantom-deps phantom-dep:prettier AI (phantom-deps): Config-file-referenced formatter; stable false positive for this framework package. ai
phantom-deps phantom-dep:@antfu/ni AI (phantom-deps): Config-file-referenced tooling; stable false positive for this framework package. ai
phantom-deps phantom-dep:css-loader AI (phantom-deps): Config-file-referenced build tooling; stable false positive for this framework package. ai
phantom-deps phantom-dep:sass-loader AI (phantom-deps): Config-file-referenced build tooling; stable false positive for this framework package. ai
phantom-deps phantom-dep:@types/react AI (phantom-deps): Framework-scoped type package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:autoprefixer AI (phantom-deps): Config-file-referenced PostCSS plugin; stable false positive for this framework package. ai
phantom-deps phantom-dep:style-loader AI (phantom-deps): Config-file-referenced build tooling; stable false positive for this framework package. ai
phantom-deps phantom-dep:@builder.io/partytown AI (phantom-deps): Referenced in partytown script; stable false positive for this framework package. ai
phantom-deps phantom-dep:@vtex/prettier-config AI (phantom-deps): Config-file-referenced formatter config; stable false positive for this framework package. ai
phantom-deps phantom-dep:@graphql-codegen/typescript AI (phantom-deps): Config-file-referenced codegen tooling; stable false positive for this framework package. ai
phantom-deps phantom-dep:postcss AI (phantom-deps): Build tooling referenced in config files; stable false positive. ai
phantom-deps phantom-dep:@lhci/cli AI (phantom-deps): CLI tool used in lhci script; not directly imported in source. ai
phantom-deps phantom-dep:use-sync-external-store AI (phantom-deps): Runtime dep used transitively; phantom-dep heuristic false positive. ai
bogus-package bogus-package AI (bogus-package): Established VTEX monorepo package; README link density is typical for a framework docs page. ai
phantom-deps phantom-dep:sass AI (phantom-deps): Build tooling dependency referenced in config files; stable false positive for this package. ai
phantom-deps phantom-dep:sharp AI (phantom-deps): Known implicit runtime/binary dependency for Next.js image optimization. ai
install-scripts install-script:postinstall AI (install-scripts): Standard CI-skip postinstall pattern for VTEX FastStore; stable across versions. ai
semgrep semgrep:base64-decode AI (semgrep): Fires in bundled Next.js server chunks; not malicious payload. ai
semgrep semgrep:dynamic-require AI (semgrep): Webpack runtime boilerplate; standard bundler pattern. ai
semgrep semgrep:new-function-constructor AI (semgrep): Partytown web worker sandboxing pattern; expected usage. ai
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped @faststore/core package; not a typosquat of cors. ai

Versions (showing 5 of 5)

Version Deps Published
4.1.1 53 / 20
4.1.0 53 / 19
4.0.0 53 / 19
3.99.0 59 / 19
3.98.4 57 / 19

v4.1.1

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@faststore/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@faststore/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@faststore/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.99.0

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js && is-ci || echo Skipped postinstall step for @faststore/core

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@faststore/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.98.4

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js && is-ci || echo Skipped postinstall step for @faststore/core

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@faststore/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.