@saleor/configurator
> Commerce as Code — Define your Saleor store in YAML, sync with your instance
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:xlsx | AI (dependencies): xlsx is a widely-used spreadsheet library; its use in a Saleor configurator CLI is legitimate and expected. | ai | |
| provenance | no-provenance | AI (provenance): Official @saleor scoped package; absence of provenance is common and not indicative of risk here. | ai | |
| phantom-deps | phantom-dep:xlsx | AI (phantom-deps): xlsx is explicitly declared in dependencies; phantom-dep heuristic misfires for this package. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is explicitly declared in dependencies; phantom-dep heuristic misfires for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 3.23.0 | 15 / 15 | |
| 1.3.0 | 16 / 15 | |
| 1.1.0 | 15 / 15 | |
| 1.0.0 | 15 / 15 | |
| 0.15.0 | 14 / 15 |
v3.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.