← Home

@rocket.chat/livechat

npm Repository Homepage

[![Language grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/RocketChat/Rocket.Chat.Livechat.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/RocketChat/Rocket.Chat.Livechat/context:javascript) [![Total alerts](https://img.shields

8
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rodrigoksing.ligeekgonecrazydiegosampaiogazzodguberttassoevanrocketchat-buildmasterdougfabris

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Established Rocket.Chat org package; lack of provenance is consistent across all versions and poses no security risk here. ai
dependencies unvetted-dep:@rocket.chat/ui-kit AI (dependencies): First-party @rocket.chat scoped package; stable false positive for this org. ai
dependencies unvetted-dep:@rocket.chat/random AI (dependencies): First-party @rocket.chat scoped package; stable false positive for this org. ai
dependencies unvetted-dep:@rocket.chat/gazzodown AI (dependencies): First-party @rocket.chat scoped package; stable false positive for this org. ai
dependencies unvetted-dep:preact-router AI (dependencies): Well-known preact ecosystem router; no malware indicators. ai
publish-pattern dormant-publish AI (publish-pattern): Official Rocket.Chat CI publisher; no material changes from prior version; dormancy reflects release cadence, not takeover. ai
phantom-deps phantom-dep:@rocket.chat/message-parser AI (phantom-deps): Same-org dependency bundled into build output; phantom-dep is a stable false positive for this package. ai
phantom-deps phantom-dep:@rocket.chat/gazzodown AI (phantom-deps): Same-org dependency bundled into build output; phantom-dep is a stable false positive for this package. ai
phantom-deps phantom-dep:mem AI (phantom-deps): Utility dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:query-string AI (phantom-deps): URL utility dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:whatwg-fetch AI (phantom-deps): Polyfill dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:preact-router AI (phantom-deps): Router dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:react-i18next AI (phantom-deps): i18n dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:path-to-regexp AI (phantom-deps): Routing dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:preact AI (phantom-deps): Bundled frontend package; preact is a core dep used via webpack bundle, not direct import. ai
phantom-deps phantom-dep:css-vars-ponyfill AI (phantom-deps): CSS polyfill in bundled widget; stable false positive. ai
phantom-deps phantom-dep:storybook-dark-mode AI (phantom-deps): Dev/storybook dep; stable false positive. ai
phantom-deps phantom-dep:@rocket.chat/random AI (phantom-deps): Same-org dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:@rocket.chat/ui-kit AI (phantom-deps): Same-org dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:@rocket.chat/emitter AI (phantom-deps): Same-org dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:react-hook-form AI (phantom-deps): Form dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:i18next AI (phantom-deps): Standard i18n dep in bundled widget; referenced via config/build. ai
phantom-deps phantom-dep:date-fns AI (phantom-deps): Utility dep in bundled widget; stable false positive for this package. ai
phantom-deps phantom-dep:dompurify AI (phantom-deps): Security dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:emoji-mart AI (phantom-deps): UI dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:history AI (phantom-deps): Router dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:ajv AI (phantom-deps): Validation dep in bundled widget; stable false positive. ai
phantom-deps phantom-dep:ajv-formats AI (phantom-deps): Validation dep in bundled widget; stable false positive. ai

Versions (showing 8 of 8)

Version Deps Published
2.1.3 22 / 59
2.1.2 22 / 59
2.1.0 22 / 59
2.0.6 22 / 67
2.0.5 22 / 67
2.0.4 22 / 67
2.0.3 22 / 67
2.0.2 22 / 67

v2.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.