@salesforce/retail-react-app
:loudspeaker: Hey there, Salesforce Commerce Cloud community!
3
Versions
See license in LICENSE
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ire-npm-team-userjimjagsalesforce-releasesjasonschroeder-sfdcmobifylwc-adminsalesforce-admin
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Established Salesforce org package; missing repo/keywords are cosmetic, not spam indicators. | ai | |
| phantom-deps | phantom-dep:@formatjs/cli | AI (phantom-deps): Used in translation scripts; config-only usage. | ai | |
| phantom-deps | phantom-dep:@testing-library/dom | AI (phantom-deps): Framework-scoped testing dep loaded by convention. | ai | |
| phantom-deps | phantom-dep:babel-plugin-module-resolver | AI (phantom-deps): Babel config dep; referenced in config files, not direct imports. | ai | |
| phantom-deps | phantom-dep:@salesforce/storefront-next-runtime | AI (phantom-deps): Same-org Salesforce dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:full-icu | AI (phantom-deps): Referenced in start script via NODE_ICU_DATA; config-only usage, not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:@lhci/cli | AI (phantom-deps): Used in test:lighthouse script; tooling dep, not a phantom dep risk. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): Used in npm scripts; config-only, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer/runtime dep for React app template; referenced in overrides and runtime code. | ai | |
| phantom-deps | phantom-dep:jwt-decode | AI (phantom-deps): Declared runtime dep; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:bundlesize2 | AI (phantom-deps): Used in test:max-file-size script; tooling dep. | ai | |
| phantom-deps | phantom-dep:randomstring | AI (phantom-deps): Declared runtime dep; heuristic false positive. | ai | |
| phantom-deps | phantom-dep:framer-motion | AI (phantom-deps): Declared runtime dep; heuristic false positive for this UI package. | ai | |
| phantom-deps | phantom-dep:@emotion/react | AI (phantom-deps): Chakra UI peer dep; loaded by convention, stable false positive. | ai | |
| phantom-deps | phantom-dep:jest-fetch-mock | AI (phantom-deps): Test tooling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@chakra-ui/icons | AI (phantom-deps): UI component dep; heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@chakra-ui/system | AI (phantom-deps): Chakra UI system dep; loaded by convention. | ai | |
| phantom-deps | phantom-dep:base64-arraybuffer | AI (phantom-deps): Declared runtime dep; heuristic false positive. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in local translation compile scripts, not in runtime code or install hooks. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in a test file (locale.test.js) to save/restore env state — standard test pattern, not a data exfiltration risk. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall compiles translation files locally; no network fetch or arbitrary code execution. | ai |
v10.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.