@plone/volto — Greenflagged

Volto

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

agitatortimostollenwerkramonnbebrehaultrobgietemasneridaghmauritsvanreesericofthetpetschkimrtangodavisaglipieronicolli

Keywords

voltoplonereact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:react-anchor-link-smooth-scroll	AI (dependencies): Long-standing dep in Volto; not newly added in this version.	ai	2026/05/26
dependencies	unvetted-dep:react-select-async-paginate	AI (dependencies): Long-standing dep in Volto; not newly added in this version.	ai	2026/05/26
dependencies	unvetted-dep:redux-localstorage-simple	AI (dependencies): Long-standing dep in Volto; not newly added in this version.	ai	2026/05/26
dependencies	unvetted-dep:react-detect-click-outside	AI (dependencies): Long-standing dep in Volto; not newly added in this version.	ai	2026/05/26
dependencies	unvetted-dep:redux-connect	AI (dependencies): Long-standing dep in Volto; not newly added in this version.	ai	2026/05/26
dependencies	unvetted-dep:react-intl-redux	AI (dependencies): Long-standing dep in Volto; not newly added in this version.	ai	2026/05/26
dependencies	unvetted-dep:promise-file-reader	AI (dependencies): Long-standing dep in Volto; not newly added in this version.	ai	2026/05/26
phantom-deps	phantom-dep:redux-connect	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:dependency-graph	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:slate-hyperscript	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:react-medium-image-zoom	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:react-detect-click-outside	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:react-intersection-observer	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:decorate-component-with-props	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:image-extensions	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:is-url	AI (phantom-deps): Large framework; deps referenced in config/tooling rather than direct imports is expected.	ai	2026/05/13
phantom-deps	phantom-dep:process	AI (phantom-deps): Webpack polyfill declared in package.json; used via config, not direct import.	ai	2026/05/13
phantom-deps	phantom-dep:full-icu	AI (phantom-deps): ICU data package used via NODE_ICU_DATA env var in test scripts, not imported.	ai	2026/05/13
phantom-deps	phantom-dep:is-hotkey	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:linkify-it	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
phantom-deps	phantom-dep:redux-actions	AI (phantom-deps): Stable large framework; config-referenced dep pattern is expected.	ai	2026/05/13
provenance	no-provenance	AI (provenance): Established Plone Foundation package; lack of Sigstore provenance is common and not a risk signal here.	ai	2026/05/10
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): All raw IPs are 127.0.0.1 localhost references in Cypress test config — not network exfiltration.	ai	2026/04/29
semgrep	semgrep:env-bulk-read	AI (semgrep): Reads process.env only to filter RAZZLE_-prefixed vars for runtime config — expected behavior for this SSR framework.	ai	2026/04/29
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads user-supplied jest config path from env var — standard build-tool pattern for this package.	ai	2026/04/29

Versions (showing 5 of 5)

Version	Deps	Published
19.0.0	97 / 108	2026-05-19
18.35.0	96 / 122	2026-05-19
18.34.0	96 / 122	2026-05-13
18.33.1	96 / 122	2026-04-16
18.33.0	96 / 122	2026-04-07

v19.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v18.35.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v18.34.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v18.33.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.