@mercurjs/vendor
5
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
mercurjs
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Frontend dashboard bundle; large dist chunks are expected for this UI-heavy vendor package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Scoped monorepo package; missing description is cosmetic, not a malware signal here. | ai | |
| dependencies | unvetted-dep:@medusajs/ui | AI (dependencies): Legitimate Medusa UI library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@medusajs/dashboard | AI (dependencies): Legitimate Medusa dashboard package; expected dependency for this vendor UI package. | ai | |
| dependencies | unvetted-dep:@uiw/react-json-view | AI (dependencies): Known open-source React JSON viewer; alpha version is expected for this library. | ai | |
| phantom-deps | phantom-dep:@medusajs/admin-shared | AI (phantom-deps): Config-referenced dep; stable false positive for this bundled package. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-dialog | AI (phantom-deps): Config-referenced dep; stable false positive for this bundled package. | ai | |
| phantom-deps | phantom-dep:qs | AI (phantom-deps): Config-referenced dep in a bundled package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:i18next-browser-languagedetector | AI (phantom-deps): Config-referenced i18n dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-dismissable-layer | AI (phantom-deps): Config-referenced dep; stable false positive for this bundled package. | ai | |
| phantom-deps | phantom-dep:@mercurjs/dashboard-shared | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped, loaded by convention in transpiled output; stable false positive. | ai | |
| phantom-deps | phantom-dep:copy-to-clipboard | AI (phantom-deps): Config-referenced dep; stable false positive for this bundled package. | ai | |
| phantom-deps | phantom-dep:@medusajs/dashboard | AI (phantom-deps): Config-referenced dep in monorepo build; stable false positive. | ai | |
| phantom-deps | phantom-dep:i18next-http-backend | AI (phantom-deps): Config-referenced i18n dep; stable false positive for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 2.1.2 | 39 / 12 | |
| 2.1.1 | 39 / 12 | |
| 2.1.0 | 39 / 12 | |
| 2.0.2 | 39 / 12 | |
| 2.0.1 | 39 / 12 |
v2.1.2
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.2
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.