@paypal/messaging-components
4
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
sdk-integrations-npmsiokedpaypal-sdksbraintreeseavenlyjfurmanravishekhar00gregjopamnicptelizabethmvnbierdemanremotevisionrygilbert_paypalrosman21wsbrunsonyanisimov_paypalavathaluringseguindustijonessunnypatelbywoodppeelenizsupremarimbrian-paypalcnallamgabrielg-paypalaugreer8jdutterer
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used only for inline DOM event handler attributes in elements.js; controlled input, not arbitrary user-supplied code. | ai | |
| phantom-deps | phantom-dep:@paypal/sdk-logos | AI (phantom-deps): Same-org PayPal dependency; declared as runtime dep, likely used transitively or in build output. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 1.85.0 | 10 / 50 | |
| 1.84.1 | 10 / 50 | |
| 1.83.0 | 10 / 50 | |
| 1.82.0 | 10 / 50 |
v1.85.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.84.1
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.83.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.82.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.