@multiformats/multiaddr
The JavaScript implementation of the Multiaddr spec
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition from achingbrain to npm-service-account-multiformats is a legitimate org-level service account migration; the new publisher has 76 approved packages and 1400 days of history. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Sparse metadata is consistent with a namespace placeholder release under the @multiformats org by a well-established, trusted publisher. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Version 0.0.0 is a namespace reservation placeholder by a trusted publisher (achingbrain) with 1137 approved packages. Not indicative of malicious intent. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): abort-error is a legitimate utility for AbortError creation, consistent with the package's async network operations. No malicious indicators. | ai | |
| dependencies | unvetted-dep:race-signal | AI (dependencies): race-signal is a small, focused AbortSignal utility used for DNS resolution timeouts; consistent with package purpose and no malicious indicators. | ai | |
| dependencies | unvetted-dep:@chainsafe/netmask | AI (dependencies): @chainsafe/netmask is a legitimate dependency from the reputable ChainSafe org, appropriate for netmask operations in a multiaddr library. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:uint8-varint | AI (dependencies): uint8-varint is a standard varint encoding utility widely used in the IPFS/libp2p/multiformats ecosystem; appropriate dependency for this package. | ai | |
| dependencies | unvetted-dep:@chainsafe/is-ip | AI (dependencies): @chainsafe/is-ip is from ChainSafe Systems, a reputable web3 infrastructure org; appropriate IP validation dependency for multiaddr parsing. | ai |
Versions (showing 51 of 83)
| Version | Deps | Published |
|---|---|---|
| 13.0.3 | 4 / 1 | |
| 13.0.2 | 4 / 1 | |
| 13.0.1 | 4 / 1 | |
| 13.0.0 | 4 / 1 | |
| 12.5.1 | 7 / 4 | |
| 12.5.0 | 7 / 4 | |
| 12.4.3 | 7 / 4 | |
| 12.4.2 | 7 / 4 | |
| 12.4.1 | 6 / 4 | |
| 12.4.0 | 6 / 4 | |
| 12.3.5 | 6 / 4 | |
| 12.3.4 | 6 / 4 | |
| 12.3.3 | 6 / 4 | |
| 12.3.2 | 6 / 4 | |
| 12.3.1 | 6 / 4 | |
| 12.3.0 | 7 / 4 | |
| 12.2.3 | 7 / 4 | |
| 12.2.2 | 7 / 4 | |
| 12.2.1 | 7 / 4 | |
| 12.1.14 | 7 / 3 | |
| 12.1.13 | 7 / 3 | |
| 12.1.12 | 7 / 3 | |
| 12.1.11 | 7 / 3 | |
| 12.1.10 | 7 / 3 | |
| 12.1.9 | 7 / 3 | |
| 12.1.8 | 7 / 3 | |
| 12.1.7 | 7 / 3 | |
| 12.1.6 | 7 / 4 | |
| 12.1.5 | 7 / 4 | |
| 12.1.4 | 7 / 4 | |
| 12.1.3 | 7 / 4 | |
| 12.1.2 | 7 / 3 | |
| 12.1.1 | 7 / 3 | |
| 12.1.0 | 7 / 3 | |
| 12.0.0 | 6 / 4 | |
| 11.6.1 | 6 / 4 | |
| 11.6.0 | 6 / 4 | |
| 11.5.0 | 6 / 4 | |
| 11.4.0 | 6 / 4 | |
| 11.3.0 | 6 / 4 | |
| 11.2.0 | 6 / 4 | |
| 11.1.5 | 6 / 4 | |
| 11.1.4 | 6 / 4 | |
| 11.1.3 | 6 / 4 | |
| 11.1.2 | 6 / 4 | |
| 11.1.1 | 6 / 4 | |
| 11.1.0 | 6 / 4 | |
| 11.0.12 | 6 / 4 | |
| 11.0.11 | 6 / 4 | |
| 11.0.10 | 6 / 4 | |
| 11.0.9 | 6 / 4 |
v13.0.3
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-12. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.2
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-12. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.1.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.1.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.1.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.6.1
2 findingsThis version was published by a different npm account than previous versions on 2023-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.6.0
2 findingsThis version was published by a different npm account than previous versions on 2023-03-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.5.0
2 findingsThis version was published by a different npm account than previous versions on 2023-03-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.4.0
2 findingsThis version was published by a different npm account than previous versions on 2023-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.3.0
2 findingsThis version was published by a different npm account than previous versions on 2023-01-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.0
2 findingsThis version was published by a different npm account than previous versions on 2023-01-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.5
2 findingsThis version was published by a different npm account than previous versions on 2023-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.4
2 findingsThis version was published by a different npm account than previous versions on 2022-12-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.3
2 findingsThis version was published by a different npm account than previous versions on 2022-12-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.2
2 findingsThis version was published by a different npm account than previous versions on 2022-12-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.1
2 findingsThis version was published by a different npm account than previous versions on 2022-12-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.0
2 findingsThis version was published by a different npm account than previous versions on 2022-12-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.12
2 findingsThis version was published by a different npm account than previous versions on 2022-12-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.11
2 findingsThis version was published by a different npm account than previous versions on 2022-12-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.10
2 findingsThis version was published by a different npm account than previous versions on 2022-12-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.9
2 findingsThis version was published by a different npm account than previous versions on 2022-12-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.