@sourceloop/payment-service

payment microservice

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

samarpan_sfnpm-sourcefusedev-hitesh-guptaakshatdubeysfbarleendhaliwalsfankurb1999yeshasfabir.ganguly

Keywords

loopback-extensionloopback

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@paypal/checkout-server-sdk	AI (dependencies): Official PayPal SDK; legitimate for a payment service.	ai	2026/05/13
dependencies	unvetted-dep:@sourceloop/core	AI (dependencies): Sourceloop core package from same org; expected dependency.	ai	2026/05/13
dependencies	unvetted-dep:@loopback/context	AI (dependencies): Core LoopBack framework package; expected dependency for sourceloop services.	ai	2026/05/13
dependencies	unvetted-dep:@loopback/repository	AI (dependencies): Core LoopBack framework package; expected dependency for sourceloop services.	ai	2026/05/13
dependencies	unvetted-dep:loopback4-soft-delete	AI (dependencies): Known LoopBack4 extension; standard in sourceloop ecosystem.	ai	2026/05/13
dependencies	unvetted-dep:@loopback/service-proxy	AI (dependencies): Core LoopBack framework package; expected dependency for sourceloop services.	ai	2026/05/13
dependencies	unvetted-dep:loopback4-authorization	AI (dependencies): Known LoopBack4 extension; standard in sourceloop ecosystem.	ai	2026/05/13
dependencies	unvetted-dep:loopback4-authentication	AI (dependencies): Known LoopBack4 extension; standard in sourceloop ecosystem.	ai	2026/05/13
dependencies	unvetted-dep:handlebars	AI (dependencies): Well-known templating library; legitimate dependency for this payment service.	ai	2026/05/13
dependencies	unvetted-dep:@loopback/boot	AI (dependencies): Core LoopBack framework package; expected dependency for sourceloop services.	ai	2026/05/13
dependencies	unvetted-dep:@loopback/core	AI (dependencies): Core LoopBack framework package; expected dependency for sourceloop services.	ai	2026/05/13
dependencies	unvetted-dep:@loopback/rest	AI (dependencies): Core LoopBack framework package; expected dependency for sourceloop services.	ai	2026/05/13
provenance	no-provenance	AI (provenance): Established monorepo package; lack of provenance is consistent across its 106 published versions.	ai	2026/05/13
phantom-deps	phantom-dep:@loopback/openapi-v3	AI (phantom-deps): Used indirectly via decorators/metadata in LoopBack framework; stable false positive for this package.	ai	2026/05/01
phantom-deps	phantom-dep:loopback4-soft-delete	AI (phantom-deps): Used via LoopBack decorators/mixins pattern; stable false positive for this package.	ai	2026/05/01
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): dotenv is legitimately declared and used via config files in this service; stable false positive.	ai	2026/05/01
phantom-deps	phantom-dep:@loopback/service-proxy	AI (phantom-deps): Used via LoopBack service binding pattern; stable false positive for this package.	ai	2026/05/01
install-scripts	install-script:postinstall	AI (install-scripts): node migration.js is the documented DB migration pattern for this LoopBack microservice; stable across versions.	ai	2026/05/01
phantom-deps	phantom-dep:@loopback/rest-explorer	AI (phantom-deps): Registered as a LoopBack component, not directly imported; stable false positive.	ai	2026/05/01

Versions (showing 6 of 6)

Version	Deps	Published
19.1.0	20 / 13	2026-04-29
19.0.5	20 / 13	2026-02-17
19.0.4	20 / 13	2026-02-06
19.0.3	20 / 13	2026-01-02
19.0.1	21 / 13	2025-11-26
19.0.0	21 / 13	2025-09-12

v19.1.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node migration.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v19.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v19.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v19.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v19.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.