@goldenhippo/builder-cart-plugin
Builder.io plugin for Golden Hippo commerce brand management
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Package publishes via GitHub Actions with SLSA provenance; human maintainer removal reflects CI-only workflow, not a takeover. | ai | |
| dependencies | unvetted-dep:@builder.io/app-context | AI (dependencies): Expected peer dep for a Builder.io plugin; not a supply-chain risk for this package. | ai | |
| dependencies | unvetted-dep:@goldenhippo/builder-ui | AI (dependencies): Same-org sibling package in the GoldenHippo monorepo; stable false positive. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): Build-config reference; standard tailwind toolchain usage. | ai | |
| phantom-deps | phantom-dep:react-cookie | AI (phantom-deps): Build-config reference; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:source-map-loader | AI (phantom-deps): Webpack loader referenced in config; not a direct JS import by design. | ai | |
| phantom-deps | phantom-dep:clsx | AI (phantom-deps): Build-config reference only; normal for webpack/tailwind plugin setup. | ai | |
| phantom-deps | phantom-dep:@builder.io/app-context | AI (phantom-deps): Org dependency referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@goldenhippo/builder-ui | AI (phantom-deps): Same-org dep used as implicit NX dependency; stable false positive. | ai | |
| phantom-deps | phantom-dep:@goldenhippo/builder-cart-schemas | AI (phantom-deps): Same-org dep used as implicit NX dependency; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/postcss | AI (phantom-deps): PostCSS plugin referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): Build-config reference only; standard postcss toolchain usage. | ai | |
| phantom-deps | phantom-dep:react-icons | AI (phantom-deps): Build-config reference; stable false positive for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.7.0 | 10 / 17 | |
| 0.6.0 | 10 / 17 | |
| 0.4.1 | 10 / 17 | |
| 0.4.0 | 10 / 17 | |
| 0.3.1 | 10 / 17 | |
| 0.3.0 | 10 / 17 | |
| 0.2.0 | 10 / 17 | |
| 0.1.0 | 10 / 17 |
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.