@salesforce/lds-runtime-webruntime
LDS engine for Webruntime runtime
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@luvio/command-sse | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-http-normalized-cache-control | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-aura-normalized-cache-control | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-aura-resource-cache-control | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-cache-inclusion-policy | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-instrument-command | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-cache-control | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-fetch-network | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-aura-network | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-aura-network | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-streaming | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-network | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-pubsub | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/command-ndjson | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-store | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@luvio/service-cache | AI (phantom-deps): Luvio internal dep referenced in config files; stable pattern for this Salesforce package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-cache-inclusion-policy | AI (phantom-deps): Config-only reference pattern consistent with this package's conduit-client dependency group. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-aura-resource-cache-control | AI (phantom-deps): Config-only reference; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-aura-normalized-cache-control | AI (phantom-deps): Config-only reference; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-http-normalized-cache-control | AI (phantom-deps): Config-only reference; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-sse | AI (phantom-deps): Config-referenced platform dep in Salesforce LDS ecosystem; stable pattern across versions. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-store | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-cache | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@luvio/network-adapter-fetch | AI (phantom-deps): Config-referenced dep; consistent with this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-cache-control | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-fetch-network | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-bindings-lwc | AI (phantom-deps): Platform-specific binary dep; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-aura-network | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-aura-network | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-adapters-uiapi-lex | AI (phantom-deps): Same org scope; config-referenced dep consistent with LDS ecosystem. | ai | |
| phantom-deps | phantom-dep:@luvio/network-adapter-composable | AI (phantom-deps): Config-referenced dep; consistent with this package's build pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-streaming | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-network | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-pubsub | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/command-ndjson | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-luvio-service | AI (phantom-deps): Same org scope; config-referenced dep consistent with LDS ecosystem. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-default-luvio | AI (phantom-deps): Same org scope; config-referenced dep consistent with LDS ecosystem. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-instrument-command | AI (phantom-deps): Config-referenced platform dep; stable pattern. | ai | |
| phantom-deps | phantom-dep:@conduit-client/service-bindings-imperative | AI (phantom-deps): Platform-specific binary dep; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@salesforce/lds-luvio-uiapi-records-service | AI (phantom-deps): Same org scope; config-referenced dep consistent with LDS ecosystem. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 1.441.0 | 27 / 3 | |
| 1.440.0 | 27 / 3 | |
| 1.439.0 | 27 / 3 | |
| 1.438.1 | 27 / 3 | |
| 1.438.0 | 27 / 3 | |
| 1.437.0 | 27 / 3 | |
| 1.436.0 | 27 / 3 | |
| 1.435.1 | 27 / 3 | |
| 1.435.0 | 27 / 3 | |
| 1.434.0 | 27 / 3 | |
| 1.433.0 | 27 / 3 | |
| 1.432.0 | 27 / 3 | |
| 1.431.0 | 27 / 3 | |
| 1.430.0 | 27 / 3 | |
| 1.429.0 | 27 / 3 | |
| 1.428.0 | 27 / 3 | |
| 1.427.0 | 27 / 3 | |
| 1.426.1 | 27 / 3 | |
| 1.425.0 | 27 / 3 | |
| 1.424.0 | 27 / 3 | |
| 1.405.0 | 25 / 3 | |
| 1.404.0 | 25 / 3 | |
| 1.403.0 | 25 / 3 | |
| 1.402.0 | 25 / 3 | |
| 1.401.0 | 24 / 3 | |
| 1.400.0 | 24 / 3 | |
| 1.399.0 | 24 / 3 | |
| 1.377.1 | 24 / 3 | |
| 1.375.0 | 22 / 3 | |
| 1.360.0 | 22 / 3 |
v1.441.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.440.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.439.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.438.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.438.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.437.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.436.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.435.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.435.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.434.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.433.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.432.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.431.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.430.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.429.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.428.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.427.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.426.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.425.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.424.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.405.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.404.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.403.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.402.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.401.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.400.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.399.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.377.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.375.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.360.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.