@vtex/api
3
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
lbebberalcararturpimentelfelippenardialinevillacacaio.oliveiravictorgesguilhermebruzzicmdalbemiagontmedinasalesfelipediegoximenesandreldsajgfidelisvcalasansthiagomurakamimarcoskwkmlurianrogerlucenaarthurepcigorframosgustavorosolemanaluizamtgrafarubimtergolrafabacbivillarbrenoguigsdahervictorhmpmarcosvcpjeymissonnatalia_godottiagonapolir-araripeaugusto.lazarokaisermannericreisathoscoutotlgimenesanitavincentbrunojdofirstdoitaugustobafonsopracaamoreiranandoacoelhokevinchevalliervtexlab-usereduardoformigamayzabelnatameloemersonlaurentinoviniagostinilucasaarcoverdelariciamotageraldo.fernandesmateuspontesvitorlgomesmarcelovicentegcmaianabthiagolcmwendermatheuslealvifilafbmendescamarakevinvtexmyllena.alvesenzomercajardelymarisdaniyelnnrdenissilvavtexvinhagsgeorgebrindeiromarcos_vtexluiznickel-vtexluisgomes01_extvtexsophreisvtexthaynannunesguieevc-vtexarthurtriis1vtexmmartinsolivrerissonvtexernestosbarbosawisney.cardealtiago.freire.vtexgabriellymouranicacioliveiraevertonstrack_vtexmpcardosorafael.pereiraiago.lagunaalexandre.dedinhoamilton.vtexoremluis.mafraluis.mollmannleidymgdevguilhermeribeiro30
Keywords
vtex
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:bluebird | AI (phantom-deps): bluebird is a declared dep used transitively; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@types/koa | AI (phantom-deps): Type-only dep for framework; not directly imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@wry/equality | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/koa-compose | AI (phantom-deps): Type-only dep; not directly imported at runtime by design. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads service.json config file at a known path; not arbitrary module loading. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped @vtex/api is not a typosquat of hapi; Levenshtein match is a false positive for scoped packages. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decodes a base64-encoded JSON binding value; standard framework pattern, not obfuscation. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @vtex/api is not a typosquat of pg; false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @vtex/api is not a typosquat of joi; false positive. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped @vtex/api is not a typosquat of ajv; false positive. | ai |
v7.3.1
2 findings
HIGH
typosquat.levenshtein: Possible typosquat of 'hapi'
typosquat
Package name '@vtex/api' is 1 edit(s) away from popular package 'hapi'.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.6
2 findings
HIGH
typosquat.levenshtein: Possible typosquat of 'hapi'
typosquat
Package name '@vtex/api' is 1 edit(s) away from popular package 'hapi'.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.0
2 findings
HIGH
typosquat.levenshtein: Possible typosquat of 'hapi'
typosquat
Package name '@vtex/api' is 1 edit(s) away from popular package 'hapi'.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.