← Home

vtex

npm Repository Homepage

The platform for e-commerce apps

6
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

lbebberalcararturpimentelfelippenardialinevillacacaio.oliveiravictorgesguilhermebruzzicmdalbemiagontmedinasalesfelipediegoximenesandreldsajgfidelisvcalasansthiagomurakamimarcoskwkmlurianrogerlucenaarthurepcigorframosgustavorosolemanaluizamtgrafarubimtergolrafabacbivillarbrenoguigsdahervictorhmpmarcosvcpjeymissonnatalia_godottiagonapolir-araripeaugusto.lazarokaisermannericreisathoscoutotlgimenesanitavincentbrunojdofirstdoitaugustobafonsopracaamoreiranandoacoelhokevinchevalliervtexlab-userlucasfp13-vtexevertonataideartursantanavtexluan.soutoluand3vgeraldo.fernandesjardelymarisvitorlgomesmateuspontesvtex-licenseslucasvysk.vtexjuliobguedesfdaciuk_vtexhuandrey.pontesjeffersontucjumcthaynannunesernestosbarbosaguieevc-vtexiago.lagunavtex.guilherme.diaslaisribeiroleidymgdevodin16gabriela.martinsarthurtriis1vtex

Keywords

CLIvtexecommercecommerceomnichannelplatformreacttoolbeltappsoclif

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:winston-transport AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:v8-compile-cache AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:latest-version AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:randomstring AI (phantom-deps): Same as above; stable false positive for this CLI package. ai
phantom-deps phantom-dep:any-promise AI (phantom-deps): CLI tool with many transitive deps; phantom-dep heuristic fires on config-referenced packages, not a real risk. ai
phantom-deps phantom-dep:@vtex/cli-plugin-abtest AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:@vtex/cli-plugin-deploy AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:@vtex/cli-plugin-whoami AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:@vtex/cli-plugin-edition AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:@vtex/cli-plugin-plugins AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:@vtex/cli-plugin-autoupdate AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:@tiagonapoli/oclif-plugin-spaced-commands AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:prompt-confirm AI (phantom-deps): Declared in deps and used indirectly; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:ajv AI (phantom-deps): Used via config/schema validation indirectly; stable false positive. ai
phantom-deps phantom-dep:boxen AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:numbro AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:graphql AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:js-yaml AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:@vtex/cli-plugin-workspace AI (phantom-deps): oclif plugin loaded dynamically by config; stable false positive. ai
phantom-deps phantom-dep:bluebird AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:csvtojson AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:cli-table2 AI (phantom-deps): Stable false positive for this CLI package. ai
phantom-deps phantom-dep:@vtex/cli-plugin-deps AI (phantom-deps): oclif plugin loaded dynamically by config, not direct import; stable false positive for this package. ai
typosquat typosquat.levenshtein:vite AI (typosquat): vtex is the official VTEX e-commerce platform CLI, not a typo of vite. ai
semgrep semgrep:child-process-spawn AI (semgrep): spawn() used to launch detached background processes; legitimate CLI toolbelt pattern. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in documented spawnUnblockingChildProcess utility for detached background processes. ai
typosquat typosquat.levenshtein:knex AI (typosquat): vtex is the official VTEX e-commerce platform CLI, not a typo of knex. ai

Versions (showing 6 of 6)

Version Deps Published
4.4.0 77 / 31
4.3.2 76 / 31
4.3.1 76 / 31
4.3.0 76 / 31
4.2.2 76 / 31
4.2.1 76 / 31

v4.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.