@ipld/dag-cbor — Greenflagged

JS implementation of DAG-CBOR

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

daviddiasmikealvmxalanshawachingbrainvascosantosrvagglidelnpm-service-account-ipld

Keywords

ipfsipldmultiformats

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is a legitimate bootstrap version for this established IPLD package by a known maintainer; not indicative of malicious intent.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): All added maintainers (lidel, alanshaw, vascosantos, achingbrain, rvagg) are recognized IPFS/IPLD ecosystem contributors; this reflects normal collaborative project governance.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): rvagg (Rod Vagg) is the listed package author and a well-known IPLD/Node.js contributor; the publisher transition from mikeal is a legitimate handoff within the IPLD org.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase explained by addition of CJS/ESM dual build output, TypeScript type definitions, and test infrastructure — all consistent with the new ipjs build pipeline.	ai	2026/04/24
provenance	missing-githead	AI (provenance): Package underwent a major build system migration (ipjs tooling, dual ESM/CJS output). Missing gitHead reflects changed publish environment, not malicious activity. Stable for this package.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): cborg and multiformats are established IPLD ecosystem packages replacing borc/@ipld/is-circular. Legitimate dependency modernization, not suspicious injection.	ai	2026/04/24
dependencies	unvetted-dep:borc	AI (dependencies): borc is the standard CBOR library used throughout the IPFS/IPLD ecosystem; its use in dag-cbor is expected and legitimate across all versions.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates widespread Sigstore provenance adoption; no provenance is expected for this era and publisher history is clean.	ai	2026/04/24
dependencies	unvetted-dep:cborg	AI (dependencies): cborg is the standard CBOR codec used throughout the IPFS/IPLD ecosystem and is the expected dependency for dag-cbor; not suspicious.	ai	2026/04/21

Versions (showing 51 of 74)

View all versions

Version	Deps	Published
10.0.1	2 / 2	2026-05-12
10.0.0	2 / 2	2026-05-12
9.2.7	2 / 2	2026-05-12
9.2.6	2 / 2	2026-04-02
9.2.5	2 / 2	2025-09-04
9.2.4	2 / 2	2025-05-22
9.2.3	2 / 2	2025-05-08
9.2.2	2 / 2	2024-10-29
9.2.1	2 / 2	2024-06-24
9.2.0	2 / 2	2024-02-16
9.1.0	2 / 2	2024-01-30
9.0.8	2 / 2	2024-01-10
9.0.7	2 / 2	2023-12-30
9.0.6	2 / 2	2023-10-03
9.0.5	2 / 2	2023-09-12
9.0.4	2 / 2	2023-08-08
9.0.3	2 / 2	2023-06-19
9.0.2	2 / 2	2023-06-14
9.0.1	2 / 2	2023-05-22
9.0.0	2 / 3	2023-01-06
8.0.1	2 / 3	2023-01-03
8.0.0	2 / 3	2022-10-19
7.0.3	2 / 9	2022-08-27
7.0.2	2 / 9	2022-05-25
7.0.1	2 / 9	2022-03-02
7.0.0	2 / 9	2021-12-13
6.0.15	2 / 9	2021-12-09
6.0.14	2 / 8	2021-11-23
6.0.13	2 / 8	2021-11-04
6.0.12	2 / 8	2021-10-18
6.0.11	2 / 8	2021-09-28
6.0.10	2 / 8	2021-09-02
6.0.9	2 / 8	2021-08-05
6.0.8	2 / 8	2021-08-05
6.0.7	2 / 8	2021-08-03
6.0.6	2 / 8	2021-07-20
6.0.5	2 / 8	2021-07-01
6.0.4	2 / 8	2021-06-08
6.0.3	2 / 8	2021-05-31
6.0.2	2 / 8	2021-05-31
6.0.1	2 / 8	2021-05-31
6.0.0	2 / 8	2021-05-27
5.0.5	2 / 8	2021-05-13
5.0.4	2 / 8	2021-05-12
5.0.3	2 / 8	2021-05-12
5.0.2	2 / 8	2021-05-06
5.0.1	2 / 8	2021-05-06
5.0.0	2 / 8	2021-04-26
4.0.0	2 / 7	2021-03-25
3.0.0	2 / 6	2021-01-19
2.0.3	3 / 5	2020-11-10

v10.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.2.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.2.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.2.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v9.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v7.0.3

2 findings

HIGH Publisher changed: mikeal → npm-service-account-ipld (on 2022-08-27) provenance

This version was published by a different npm account than previous versions on 2022-08-27. This could indicate a legitimate maintainer transition or an account compromise.