@salesforce/lds-runtime-aura
LDS engine for Aura runtime
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): lwc-admin is a Salesforce org admin account with 2224 approved packages; publisher consolidation pattern, not a takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): salesforce-admin addition aligns with org-level account consolidation observed across Salesforce packages. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Large Salesforce org package; periodic maintainer list pruning is expected and no new/unknown maintainers were added. | ai | |
| dependencies | unvetted-dep:@luvio/command-aura-normalized-cache-control | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-aura-resource-cache-control | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-cache-inclusion-policy | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-instrument-command | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-fetch-network | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-feature-flags | AI (dependencies): Newly added dep but same @luvio/* pattern; pinned to matching version. | ai | |
| dependencies | unvetted-dep:@luvio/service-cache-control | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-fetch-network | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-aura-network | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-streaming | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-network | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-pubsub | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-ndjson | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-store | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/service-cache | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-sse | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/utils | AI (dependencies): Stable @luvio/* ecosystem dep pinned to matching version; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-aura-network | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-aura-graphql-normalized-cache-control | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@luvio/command-http-normalized-cache-control | AI (dependencies): Stable @luvio/* ecosystem dep; consistent pattern across all versions of this package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-http-graphql-normalized-cache-control | AI (phantom-deps): Config-referenced plugin dep; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-aura-graphql-normalized-cache-control | AI (phantom-deps): Config-referenced plugin dep; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-cache-control | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-sse | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-cache | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-store | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-ndjson | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-pubsub | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-network | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-streaming | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-aura-network | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-aura-network | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-fetch-network | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-instrument-command | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-cache-inclusion-policy | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-aura-resource-cache-control | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-aura-normalized-cache-control | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-http-normalized-cache-control | AI (phantom-deps): Bundler-resolved @luvio/* dep; stable pattern for this rollup-built package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-cache-inclusion-policy | AI (phantom-deps): Config-file-only reference; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-aura-normalized-cache-control | AI (phantom-deps): Config-file-only reference; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-http-normalized-cache-control | AI (phantom-deps): Config-file-only reference; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-aura-graphql-normalized-cache-control | AI (phantom-deps): Config-file-only reference; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-http-graphql-normalized-cache-control | AI (phantom-deps): Config-file-only reference; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@salesforce/lds-adapters-uiapi-lex | AI (dependencies): Same @salesforce org scope; part of the LDS monorepo. | ai | |
| dependencies | unvetted-dep:@salesforce/lds-luvio-service | AI (dependencies): Same @salesforce org scope; part of the LDS monorepo. | ai | |
| dependencies | unvetted-dep:@lwc/state | AI (dependencies): LWC ecosystem dep from Salesforce; consistent with this package's purpose. | ai | |
| dependencies | unvetted-dep:@luvio/network-adapter-composable | AI (dependencies): Luvio ecosystem dep; consistent with Salesforce LDS runtime. | ai | |
| dependencies | unvetted-dep:@salesforce/lds-adapters-onestore-graphql | AI (dependencies): Same @salesforce org scope; part of the LDS monorepo. | ai | |
| dependencies | unvetted-dep:@salesforce/lds-luvio-uiapi-records-service | AI (dependencies): Same @salesforce org scope; part of the LDS monorepo. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-cache | AI (phantom-deps): Config-file-only reference in Salesforce LDS runtime; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-bindings-imperative | AI (phantom-deps): Platform-specific binary dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-instrument-command | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-adapters-onestore-graphql | AI (phantom-deps): Same-org Salesforce dep; phantom-dep heuristic is a false positive here. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-feature-flags | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-cache-control | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-fetch-network | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-aura-network | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-adapters-uiapi-lex | AI (phantom-deps): Same-org Salesforce dep; phantom-dep heuristic is a false positive here. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-aura-network | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@luvio/network-adapter-composable | AI (phantom-deps): Luvio adapter dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-streaming | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-network | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-sse | AI (phantom-deps): Conduit client deps are declared for bundling/config use in this Salesforce LDS package; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-pubsub | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-ndjson | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-luvio-service | AI (phantom-deps): Same-org Salesforce dep; phantom-dep heuristic is a false positive here. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-store | AI (phantom-deps): Conduit client deps declared for config/bundling; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@luvio/network-adapter-fetch | AI (phantom-deps): Luvio adapter deps referenced in config files; consistent with this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-aura-resource-cache-control | AI (phantom-deps): Conduit client dep; stable false positive for this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-luvio-uiapi-records-service | AI (phantom-deps): Same-org Salesforce dep; phantom-dep heuristic is a false positive here. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 1.436.0 | 32 / 12 | |
| 1.434.0 | 32 / 11 | |
| 1.433.0 | 32 / 11 | |
| 1.432.0 | 32 / 11 | |
| 1.431.0 | 32 / 11 | |
| 1.430.0 | 32 / 11 | |
| 1.429.0 | 32 / 11 | |
| 1.419.0 | 31 / 11 | |
| 1.418.0 | 31 / 11 | |
| 1.414.1 | 31 / 11 | |
| 1.413.0 | 30 / 11 | |
| 1.412.1 | 30 / 11 | |
| 1.404.0 | 28 / 11 | |
| 1.403.0 | 28 / 11 | |
| 1.399.0 | 28 / 11 | |
| 1.389.2 | 28 / 11 | |
| 1.389.1 | 28 / 11 | |
| 1.386.0 | 28 / 11 | |
| 1.384.0 | 28 / 12 | |
| 1.381.0 | 27 / 12 | |
| 1.379.1 | 27 / 12 | |
| 1.376.0 | 25 / 12 | |
| 1.374.0 | 25 / 12 | |
| 1.371.0 | 21 / 12 | |
| 1.370.0 | 21 / 12 | |
| 1.368.0 | 21 / 12 | |
| 1.367.0 | 21 / 12 | |
| 1.366.0 | 21 / 12 | |
| 1.365.0 | 21 / 12 | |
| 1.364.0 | 21 / 12 | |
| 1.362.0 | 21 / 12 | |
| 1.361.0 | 21 / 12 | |
| 1.360.1 | 21 / 12 | |
| 1.360.0 | 21 / 12 |
v1.436.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.434.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.433.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.432.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.431.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.430.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.429.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.419.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.418.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.414.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.413.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.412.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.404.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.403.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.399.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.389.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.389.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.386.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.384.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.381.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.379.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.376.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.374.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.371.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.370.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.368.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.367.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.366.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.365.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.364.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.362.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.361.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.360.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.360.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.