@salesforce/plugin-settings
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Salesforce-releases is a high-trust publisher with 1132 approved packages; dormancy likely reflects release cadence changes in the Salesforce CLI ecosystem, not account takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Salesforce org consolidation pattern — individual dev accounts replaced by salesforce-admin; publisher salesforce-releases has strong track record and package has code-signing metadata. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Mass removal of individual Salesforce developer accounts consistent with org-level consolidation, not a hostile takeover. Package metadata and signing URLs confirm Salesforce ownership. | ai | |
| provenance | no-provenance | AI (provenance): Salesforce uses their own signing infrastructure (sfdx publicKeyUrl/signatureUrl in package.json); lack of Sigstore provenance is expected and stable for this package. | ai | |
| dependencies | unvetted-dep:fast-levenshtein | AI (dependencies): fast-levenshtein is a well-known, widely-used string distance library with no known security issues; its use in a CLI plugin is legitimate and stable. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 2.4.83 | 4 / 12 | |
| 2.4.82 | 4 / 12 | |
| 2.4.80 | 4 / 12 | |
| 2.4.79 | 4 / 12 | |
| 2.4.78 | 4 / 12 | |
| 2.4.75 | 4 / 12 | |
| 2.4.74 | 4 / 12 | |
| 2.4.71 | 4 / 12 | |
| 2.4.67 | 4 / 12 | |
| 2.4.66 | 4 / 12 | |
| 2.4.63 | 4 / 12 | |
| 2.4.57 | 4 / 12 | |
| 2.4.54 | 4 / 12 | |
| 2.4.53 | 4 / 12 | |
| 2.4.51 | 4 / 12 | |
| 2.4.47 | 4 / 12 | |
| 2.4.46 | 4 / 12 | |
| 2.4.45 | 4 / 12 | |
| 2.4.44 | 4 / 12 | |
| 2.4.43 | 4 / 12 | |
| 2.4.42 | 4 / 12 | |
| 2.4.41 | 4 / 12 | |
| 2.4.40 | 4 / 12 | |
| 2.4.39 | 4 / 12 | |
| 2.4.38 | 4 / 12 | |
| 2.4.37 | 4 / 12 | |
| 2.4.35 | 4 / 12 | |
| 2.4.34 | 4 / 12 | |
| 2.4.33 | 4 / 12 | |
| 2.4.32 | 4 / 12 | |
| 2.4.31 | 4 / 12 | |
| 2.4.30 | 4 / 12 | |
| 2.4.29 | 4 / 12 | |
| 2.4.25 | 4 / 12 |
v2.4.83
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.82
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.80
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.79
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.78
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.75
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.74
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.71
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.67
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.66
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.63
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.