@vtex/sales-app
Package that contains capabilities to enable estensibility points on Sales App
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:public/webpack-runtime-fb22f97adcf3d98f4c3f.js | AI (source-diff): Standard webpack runtime bundle; minification triggers obfuscation rule as a false positive. | ai | |
| source-diff | net-exec-file:public/component---gatsby-theme-instore-core-src-screens-instore-index-tsx-059bc87339e312410509.js | AI (source-diff): Webpack bundle with dynamic chunk loading; net+exec pattern is expected in Gatsby build artifacts. | ai | |
| source-diff | obfuscated-file:public/component---gatsby-theme-instore-core-src-screens-instore-index-tsx-059bc87339e312410509.js | AI (source-diff): Standard Gatsby/webpack minified bundle; obfuscation flag is a false positive for this build output pattern. | ai | |
| source-diff | obfuscated-file:public/component---gatsby-theme-instore-core-src-screens-instore-index-tsx-ad7830d9815f561b10b3.js | AI (source-diff): Gatsby page bundle; minified by build toolchain. | ai | |
| source-diff | obfuscated-file:public/webpack-runtime-61a4a85a943aa38079ac.js | AI (source-diff): Gatsby webpack runtime; minified by build toolchain. | ai | |
| source-diff | net-exec-file:public/component---gatsby-theme-instore-core-src-screens-instore-index-tsx-ad7830d9815f561b10b3.js | AI (source-diff): Webpack chunk loader; normal for Gatsby SPA. | ai | |
| source-diff | obfuscated-file:public/CheckoutScreen-e20287933b60d3f9350b.js | AI (source-diff): Gatsby webpack chunk; minification is expected for this package. | ai | |
| source-diff | obfuscated-file:public/app-270223972baed44dbad4.js | AI (source-diff): Standard Gatsby/webpack minified bundle; matches package's own gatsby:build script output. | ai | |
| source-diff | net-exec-file:public/app-270223972baed44dbad4.js | AI (source-diff): Network calls and dynamic module loading are normal webpack runtime patterns in Gatsby bundles. | ai | |
| source-diff | obfuscated-file:public/commons-4fc313eea52fdf6fe7fb.js | AI (source-diff): Gatsby webpack commons chunk; minification expected. | ai | |
| source-diff | net-exec-file:public/commons-4fc313eea52fdf6fe7fb.js | AI (source-diff): Dynamic module loading is standard webpack runtime behavior. | ai | |
| source-diff | obfuscated-file:public/component---gatsby-theme-instore-core-src-screens-instore-index-tsx-deb22f5c76ff5d84cd4f.js | AI (source-diff): Gatsby page component bundle; minification expected. | ai | |
| source-diff | net-exec-file:public/component---gatsby-theme-instore-core-src-screens-instore-index-tsx-deb22f5c76ff5d84cd4f.js | AI (source-diff): Dynamic imports are standard Gatsby code-splitting pattern. | ai | |
| source-diff | obfuscated-file:public/ContingencyCartScreen-50b935aede90eb5bb31d.js | AI (source-diff): Gatsby webpack chunk; minification expected. | ai | |
| source-diff | obfuscated-file:public/NewProductPage-4fc14c7eb11b1d5a8f5a.js | AI (source-diff): Gatsby webpack chunk; minification expected. | ai | |
| source-diff | obfuscated-file:public/SalesPerformanceScreen-78dedfa5de92b82f4241.js | AI (source-diff): Gatsby webpack chunk; minification expected. | ai | |
| source-diff | obfuscated-file:public/webpack-runtime-973f08d21488d3297d73.js | AI (source-diff): Webpack runtime bundle; new Function() is standard webpack bootstrap pattern. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires in webpack-runtime bundle; webpack uses new Function() internally for module loading. | ai | |
| phantom-deps | phantom-dep:@oclif/config | AI (phantom-deps): oclif config dep loaded by framework convention. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type-only package, not directly imported. | ai | |
| phantom-deps | phantom-dep:cookie-parser | AI (phantom-deps): Used in express server config, not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): Type-only package, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Babel preset loaded by convention via babel config. | ai | |
| phantom-deps | phantom-dep:@oclif/plugin-help | AI (phantom-deps): oclif plugin declared in oclif config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/preset-react | AI (phantom-deps): Babel preset loaded by convention. | ai | |
| phantom-deps | phantom-dep:@babel/preset-typescript | AI (phantom-deps): Babel preset loaded by convention. | ai | |
| phantom-deps | phantom-dep:webpack-cli | AI (phantom-deps): CLI tool referenced in scripts, not imported in source. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped, loaded by babel-loader convention. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires in webpack-bundled output; standard pattern in React/webpack apps, not obfuscation. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Build-tool dep used via tsconfig/tsc, not directly imported in source. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 3.49.5 | 30 / 14 | |
| 3.49.4 | 30 / 14 | |
| 3.49.3 | 30 / 14 | |
| 3.49.0 | 30 / 14 | |
| 3.48.0 | 30 / 14 | |
| 3.47.4 | 29 / 14 |
v3.49.5
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.49.4
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.49.3
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.49.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.48.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.47.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.