@vue-storefront/http1VersionsMITLicenseNoInstall ScriptsMissingProvenanceSupply chain provenanceStatus for the latest visible version.No SLSA provenancenpm registry signaturesgitHead linkedWithout SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026