@freightos/fusion-location-input

Fusion Location Input

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

freightos

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:yalc	AI (dependencies): yalc is a local package publishing tool used only in dev scripts; not a runtime risk.	ai	2026/05/04
dependencies	unvetted-dep:peer-deps-externals-webpack-plugin	AI (dependencies): Build-time webpack plugin; no runtime exposure in published output.	ai	2026/05/04
phantom-deps	phantom-dep:yup	AI (phantom-deps): Validation library likely used in build/test config; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:yalc	AI (phantom-deps): yalc is a dev publishing tool referenced in scripts/config only, not a runtime import.	ai	2026/04/29
phantom-deps	phantom-dep:axios-mock-adapter	AI (phantom-deps): Test mock adapter; referenced in test config, not a runtime import.	ai	2026/04/29
phantom-deps	phantom-dep:formik	AI (phantom-deps): Form library referenced in config/test context; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:peer-deps-externals-webpack-plugin	AI (phantom-deps): Build-time webpack plugin; referenced in config, not imported at runtime.	ai	2026/04/29

Versions (showing 6 of 6)

Version	Deps	Published
2.2.6	5 / 5	2026-04-08
2.2.1	5 / 4	2026-02-25
2.2.0	5 / 4	2026-02-16
2.1.1	5 / 4	2026-01-19
1.1.1	5 / 4	2025-12-22
1.0.1	5 / 4	2025-11-25