algoliasearch — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

haroenvshortcutseric-zahariaflufiam4xvvospeedbluebobylitoredoxpixelasticproudlygeek

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@algolia/client-recommendation	AI (dependencies): First-party @algolia scoped package, part of the same coordinated monorepo release at matching version 4.0.0. No independent risk.	ai	2026/04/24
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding in this package is used for parsing Algolia secured API keys — a documented, legitimate feature with no malicious payload risk.	ai	2026/04/24
provenance	missing-githead	AI (provenance): Diff baseline is v5.x; v4.x maintenance releases have different build/publish tooling. Not indicative of compromise.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): All added deps are @algolia/* at matching version — standard v4.x dependency tree. Diff misleading due to v5.x baseline.	ai	2026/04/24
phantom-deps	phantom-dep:@algolia/requester-browser-xhr	AI (phantom-deps): Same as above — v4 sub-package architecture uses indirect bundled references rather than direct imports.	ai	2026/04/24
phantom-deps	phantom-dep:@algolia/cache-browser-local-storage	AI (phantom-deps): algoliasearch v4 bundles sub-packages into dist files; indirect usage via bundle is the documented architecture for this package family.	ai	2026/04/24
phantom-deps	phantom-dep:@algolia/logger-console	AI (phantom-deps): Same as above — v4 sub-package architecture uses indirect bundled references rather than direct imports.	ai	2026/04/24
phantom-deps	phantom-dep:@algolia/client-account	AI (phantom-deps): Same as above — v4 sub-package architecture uses indirect bundled references rather than direct imports.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Algolia migrated to GitHub Actions CI/CD publishing, corroborated by SLSA provenance attestation. This is a legitimate organizational change for this major company's package.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer 'fluf' is consistent with internal Algolia team management for this established, company-owned package.	ai	2026/04/24
dependencies	unvetted-dep:@algolia/requester-node-http	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/requester-browser-xhr	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/abtesting	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/client-query-suggestions	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
phantom-deps	phantom-dep:@algolia/requester-fetch	AI (phantom-deps): Declared as a dependency and referenced in config files; consistent with bundling setup in this monorepo package. Not a true phantom dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/client-personalization	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/ingestion	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/recommend	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/monitoring	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/client-common	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/client-search	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/client-insights	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/requester-fetch	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/client-abtesting	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23
dependencies	unvetted-dep:@algolia/client-analytics	AI (dependencies): First-party Algolia monorepo sub-package, always released in lockstep with algoliasearch. Not a third-party dependency.	ai	2026/04/23