@eeacms/volto-cca-policy
@eeacms/volto-cca-policy: Volto add-on
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@plone-collective/volto-rss-provider | AI (phantom-deps): Volto addon config reference pattern; not directly imported, consistent with other phantom deps in this package. | ai | |
| phantom-deps | phantom-dep:d3-array | AI (phantom-deps): Declared dependency used in config; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@elastic/search-ui | AI (phantom-deps): Declared dependency used in config; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@eeacms/volto-group-block | AI (phantom-deps): Declared dependency used in config; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@eeacms/volto-slate-label | AI (phantom-deps): Declared dependency used in config; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@eeacms/volto-searchlib | AI (phantom-deps): Declared dependency used in config; stable pattern for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is in .eslintrc.js to read tsconfig paths — dev config only, not runtime code. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 1.0.0 | 18 / 11 | |
| 0.3.131 | 18 / 11 | |
| 0.3.129 | 18 / 11 | |
| 0.3.128 | 18 / 11 | |
| 0.3.127 | 18 / 11 | |
| 0.3.126 | 18 / 11 | |
| 0.3.125 | 18 / 11 | |
| 0.3.124 | 18 / 11 | |
| 0.3.123 | 18 / 11 | |
| 0.3.122 | 18 / 11 | |
| 0.3.121 | 18 / 11 | |
| 0.3.120 | 17 / 11 | |
| 0.3.119 | 17 / 11 | |
| 0.3.118 | 17 / 11 | |
| 0.3.117 | 17 / 11 | |
| 0.3.116 | 17 / 11 | |
| 0.3.115 | 17 / 11 | |
| 0.3.114 | 17 / 11 | |
| 0.3.113 | 17 / 11 | |
| 0.3.112 | 17 / 11 | |
| 0.3.111 | 17 / 11 | |
| 0.3.110 | 17 / 11 | |
| 0.3.109 | 17 / 11 | |
| 0.3.108 | 17 / 11 | |
| 0.3.107 | 17 / 11 |
v1.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.131
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.129
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.128
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.127
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.126
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.125
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.124
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.123
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.122
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.121
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.120
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.119
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.117
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.116
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.115
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.114
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.113
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.112
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.111
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.110
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.109
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.108
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.107
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.