@salesforce/nimbus-plugin-lds
Nimbus plugins for LDS on Mobile native integrations: durable store, networking, and draft queue.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Base64 encodes SQL DDL for a web worker; legitimate pattern for this Salesforce LDS mobile plugin across versions. | ai | |
| provenance | publisher-changed | AI (provenance): lwc-admin is a Salesforce org account with 1566 approved packages; transition from individual to org publisher is expected. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): salesforce-admin addition aligns with Salesforce org-level maintainer consolidation pattern. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Mass removal of individual Salesforce employees consistent with org-level account consolidation, not a takeover. | ai |
Versions (showing 93 of 93)
| Version | Deps | Published |
|---|---|---|
| 1.442.0 | 0 / 7 | |
| 1.441.0 | 0 / 7 | |
| 1.440.0 | 0 / 7 | |
| 1.439.0 | 0 / 7 | |
| 1.438.1 | 0 / 7 | |
| 1.438.0 | 0 / 7 | |
| 1.437.0 | 0 / 7 | |
| 1.436.0 | 0 / 7 | |
| 1.435.1 | 0 / 7 | |
| 1.435.0 | 0 / 7 | |
| 1.434.0 | 0 / 7 | |
| 1.433.0 | 0 / 7 | |
| 1.432.0 | 0 / 7 | |
| 1.431.0 | 0 / 7 | |
| 1.430.0 | 0 / 7 | |
| 1.429.0 | 0 / 7 | |
| 1.428.0 | 0 / 7 | |
| 1.427.0 | 0 / 7 | |
| 1.426.1 | 0 / 7 | |
| 1.425.0 | 0 / 7 | |
| 1.424.0 | 0 / 7 | |
| 1.423.0 | 0 / 7 | |
| 1.422.0 | 0 / 7 | |
| 1.421.1 | 0 / 7 | |
| 1.421.0 | 0 / 7 | |
| 1.420.0 | 0 / 7 | |
| 1.419.0 | 0 / 7 | |
| 1.418.0 | 0 / 7 | |
| 1.417.0 | 0 / 7 | |
| 1.416.1 | 0 / 7 | |
| 1.416.0 | 0 / 7 | |
| 1.415.0 | 0 / 7 | |
| 1.414.1 | 0 / 7 | |
| 1.414.0 | 0 / 7 | |
| 1.413.0 | 0 / 7 | |
| 1.412.1 | 0 / 7 | |
| 1.412.0 | 0 / 7 | |
| 1.411.0 | 0 / 7 | |
| 1.410.1 | 0 / 7 | |
| 1.410.0 | 0 / 7 | |
| 1.409.0 | 0 / 7 | |
| 1.405.0 | 0 / 7 | |
| 1.404.0 | 0 / 7 | |
| 1.403.0 | 0 / 7 | |
| 1.402.0 | 0 / 7 | |
| 1.401.0 | 0 / 7 | |
| 1.400.0 | 0 / 7 | |
| 1.399.0 | 0 / 7 | |
| 1.398.0 | 0 / 7 | |
| 1.397.0 | 0 / 7 | |
| 1.396.0 | 0 / 7 | |
| 1.395.0 | 0 / 7 | |
| 1.394.0 | 0 / 7 | |
| 1.393.0 | 0 / 7 | |
| 1.392.0 | 0 / 7 | |
| 1.391.0 | 0 / 7 | |
| 1.390.0 | 0 / 7 | |
| 1.389.2 | 0 / 7 | |
| 1.389.1 | 0 / 7 | |
| 1.389.0 | 0 / 7 | |
| 1.388.0 | 0 / 7 | |
| 1.387.0 | 0 / 7 | |
| 1.386.0 | 0 / 7 | |
| 1.385.0 | 0 / 7 | |
| 1.384.0 | 0 / 7 | |
| 1.383.0 | 0 / 7 | |
| 1.382.0 | 0 / 7 | |
| 1.381.0 | 0 / 7 | |
| 1.380.0 | 0 / 7 | |
| 1.379.1 | 0 / 7 | |
| 1.379.0 | 0 / 7 | |
| 1.378.0 | 0 / 7 | |
| 1.377.1 | 0 / 7 | |
| 1.377.0 | 0 / 7 | |
| 1.376.0 | 0 / 7 | |
| 1.375.0 | 0 / 7 | |
| 1.374.0 | 0 / 7 | |
| 1.373.0 | 0 / 7 | |
| 1.372.1 | 0 / 7 | |
| 1.372.0 | 0 / 7 | |
| 1.371.0 | 0 / 7 | |
| 1.370.0 | 0 / 7 | |
| 1.369.0 | 0 / 7 | |
| 1.368.0 | 0 / 7 | |
| 1.367.0 | 0 / 7 | |
| 1.366.0 | 0 / 7 | |
| 1.365.0 | 0 / 7 | |
| 1.364.0 | 0 / 7 | |
| 1.363.0 | 0 / 7 | |
| 1.362.0 | 0 / 7 | |
| 1.361.0 | 0 / 7 | |
| 1.360.1 | 0 / 7 | |
| 1.360.0 | 0 / 7 |
v1.442.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.441.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.440.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.439.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.438.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.438.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.437.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.436.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.435.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.435.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.434.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.433.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.432.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.431.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.430.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.429.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.428.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.427.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.426.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.425.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.424.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.423.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.422.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.421.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.421.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.420.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.419.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.418.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.417.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.416.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.416.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.415.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.414.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.414.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.413.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.412.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.412.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.411.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.410.1
2 findingsThis version was published by a different npm account than previous versions on 2025-12-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.410.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.409.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.405.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.404.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.403.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.402.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.401.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.400.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.399.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.398.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.397.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.396.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.395.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.394.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.393.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.392.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.391.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.390.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.389.2
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.389.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.389.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.388.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.387.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.386.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.385.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.384.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.383.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.382.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.381.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.380.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.379.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.379.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.378.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.377.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.377.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.376.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.375.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.374.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.373.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.372.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.372.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.371.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.370.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.369.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.368.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.367.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.366.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.365.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.364.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.363.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.362.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.361.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.360.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.360.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.