@avalabs/evm-module
This package implements the core logic for the EVM (Ethereum Virtual Machine) module.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Runs typechain to generate contract bindings from local node_modules — no network access, deterministic codegen step. | ai | |
| phantom-deps | phantom-dep:@avalabs/types | AI (phantom-deps): Same-org monorepo package; phantom-dep heuristic is unreliable for transitive type-only imports. | ai | |
| phantom-deps | phantom-dep:@avalabs/core-etherscan-sdk | AI (phantom-deps): Same-org monorepo package; phantom-dep heuristic is unreliable for transitive imports. | ai | |
| phantom-deps | phantom-dep:bn.js | AI (phantom-deps): bn.js is referenced in config/type files; stable false positive for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 3.9.0 | 16 / 14 | |
| 3.7.3 | 15 / 14 | |
| 3.0.1 | 15 / 14 | |
| 2.0.0 | 15 / 14 |
v3.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.3
2 findingsScript: pnpm run gen:contracts
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.1
2 findingsScript: pnpm run gen:contracts
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
2 findingsScript: pnpm run gen:contracts
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.