@faststore/sdk — Greenflagged

Hooks for creating your next component library

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

emersonlaurentinoguieevcmarcos_vtexlariciamotaeduardo.formigahellofanny

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/cjs/index.js	AI (source-diff): Standard Vite-minified CJS bundle; content is readable SDK code, not obfuscated malware. Stable for this package.	ai	2026/05/25
provenance	publisher-changed	AI (provenance): VTEX org migrated publishing to GitHub Actions CI/CD with SLSA attestation; stable organizational pattern.	ai	2026/05/20
publish-pattern	dormant-publish	AI (publish-pattern): Package is part of vtex/faststore monorepo; dormancy reflects monorepo release cadence, not abandonment.	ai	2026/05/20
phantom-deps	phantom-dep:@types/react	AI (phantom-deps): @types/react is a type-only dependency; not directly imported at runtime by convention.	ai	2026/05/20

Versions (showing 37 of 37)

Version	Deps	Published
4.1.1	3 / 13	2026-05-15
4.1.0	3 / 12	2026-05-11
4.0.0	3 / 12	2026-05-07
3.99.4	4 / 11	2026-05-14
3.99.2	4 / 11	2026-05-11
3.99.1	4 / 11	2026-05-06
3.99.0	4 / 11	2026-05-04
3.98.0	4 / 11	2026-03-27
3.97.0	4 / 11	2026-02-03
3.96.0	4 / 11	2025-12-24
3.95.0	4 / 11	2025-12-02
3.94.0	4 / 11	2025-11-19
3.93.0	4 / 11	2025-11-04
3.92.0	4 / 11	2025-11-03
3.91.2	4 / 11	2025-10-27
3.91.1	4 / 11	2025-10-24
3.90.0	4 / 11	2025-10-13
3.89.4	4 / 11	2025-10-06
3.89.2	4 / 11	2025-10-02
3.88.6	4 / 11	2025-09-23
3.85.0	4 / 11	2025-09-15
3.83.1	4 / 11	2025-09-09
3.81.0	4 / 11	2025-09-05
3.80.0	4 / 11	2025-09-04
3.77.2	4 / 11	2025-08-21
3.72.0	4 / 11	2025-08-05
3.68.0	4 / 11	2025-07-28
3.63.0	4 / 11	2025-07-14
3.60.3	4 / 11	2025-07-02
3.60.2	4 / 11	2025-07-02
3.56.1	2 / 11	2025-06-19
3.50.3	2 / 11	2025-06-02
3.49.1	2 / 11	2025-05-27
3.49.0	2 / 11	2025-05-26
3.46.0	2 / 11	2025-05-21
3.45.0	2 / 11	2025-05-20
3.44.0	2 / 11	2025-05-13

v4.1.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH New obfuscated file: dist/cjs/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH New obfuscated file: dist/cjs/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

2 findings

HIGH New obfuscated file: dist/cjs/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.99.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.99.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.99.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.99.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.98.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.97.0

2 findings

HIGH Publisher changed: emersonlaurentino → GitHub Actions (on 2026-02-03) provenance

This version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.96.0

2 findings

HIGH Publisher changed: emersonlaurentino → GitHub Actions (on 2025-12-24) provenance

This version was published by a different npm account than previous versions on 2025-12-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.