@pkcprotocol/pkc-js
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/bundled/chunks/schema-B7HIUI8w.js | AI (source-diff): Rolldown-bundled output chunk; minification is expected for this SDK's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/rpc-local-community-CO__pwvD.js | AI (source-diff): Rolldown-bundled output chunk; minification is expected for this SDK's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/node-edb9-nES.js | AI (source-diff): Rolldown-bundled output chunk; minification is expected for this SDK's build pipeline. | ai | |
| source-diff | net-exec-file:dist/bundled/chunks/schema-B7HIUI8w.js | AI (source-diff): Network calls and dynamic require are part of the IPFS/libp2p SDK functionality, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/bundled/chunks/rpc-local-community-CO__pwvD.js | AI (source-diff): Network calls and dynamic require are part of the IPFS/libp2p SDK functionality, not dropper behavior. | ai | |
| phantom-deps | phantom-dep:jose | AI (phantom-deps): Large SDK with conditional/platform-specific imports; phantom-dep heuristic unreliable here. | ai | |
| source-diff | net-exec-file:dist/bundled/chunks/schema-Bo3XK8Oe.js | AI (source-diff): Network calls and dynamic require are part of IPFS/libp2p functionality bundled via rolldown; not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/node-DMNVMYGv.js | AI (source-diff): Rolldown-generated bundle chunk; minification is expected for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/rpc-local-community-DG6G0xL6.js | AI (source-diff): Rolldown-generated bundle chunk; minification is expected for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/schema-Bo3XK8Oe.js | AI (source-diff): Rolldown-generated bundle chunk; minification is expected for this package's build output. | ai | |
| source-diff | net-exec-file:dist/bundled/chunks/rpc-local-community-DG6G0xL6.js | AI (source-diff): Network calls and dynamic require are part of IPFS/libp2p functionality bundled via rolldown; not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/bundled/chunks/rpc-local-community-Xpx65cbz.js | AI (source-diff): Network + code execution is inherent to a p2p/IPFS SDK bundle; no malicious payload visible in samples. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/node-7bvDHqBl.js | AI (source-diff): Rolldown bundle chunk with readable ES module imports; minification is expected for this package's bundled dist output. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/rpc-local-community-Xpx65cbz.js | AI (source-diff): Rolldown bundle chunk; minification is expected for this package's bundled dist output. | ai | |
| source-diff | obfuscated-file:dist/bundled/chunks/schema-CijXm_fr.js | AI (source-diff): Rolldown bundle chunk; minification is expected for this package's bundled dist output. | ai | |
| source-diff | net-exec-file:dist/bundled/chunks/schema-CijXm_fr.js | AI (source-diff): Network + code execution is inherent to a p2p/IPFS SDK bundle; no malicious payload visible in samples. | ai | |
| phantom-deps | phantom-dep:@libp2p/peer-id-factory | AI (phantom-deps): Referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@libp2p/websockets | AI (phantom-deps): Conditional transport import; stable false positive for this libp2p SDK. | ai | |
| phantom-deps | phantom-dep:blockstore-idb | AI (phantom-deps): Platform-split build; declared for browser environment, not directly imported in node path. | ai | |
| phantom-deps | phantom-dep:sha1-uint8array | AI (phantom-deps): Conditional import in browser bundle; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:err-code | AI (phantom-deps): Transitive re-export pattern common in IPFS ecosystem packages. | ai | |
| phantom-deps | phantom-dep:blockstore-fs | AI (phantom-deps): Node-only blockstore; conditional import pattern in browser/node split build. | ai | |
| phantom-deps | phantom-dep:@libp2p/interfaces | AI (phantom-deps): Type-only or conditional import; stable false positive for this libp2p SDK. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 0.0.48 | 58 / 38 | |
| 0.0.47 | 58 / 38 | |
| 0.0.46 | 52 / 35 | |
| 0.0.45 | 47 / 33 | |
| 0.0.44 | 47 / 33 | |
| 0.0.43 | 47 / 33 | |
| 0.0.42 | 47 / 33 | |
| 0.0.41 | 47 / 33 | |
| 0.0.40 | 47 / 33 | |
| 0.0.39 | 47 / 33 | |
| 0.0.38 | 47 / 33 | |
| 0.0.37 | 47 / 33 | |
| 0.0.36 | 47 / 33 | |
| 0.0.35 | 47 / 33 | |
| 0.0.34 | 47 / 33 | |
| 0.0.33 | 47 / 33 | |
| 0.0.32 | 47 / 33 | |
| 0.0.31 | 48 / 33 | |
| 0.0.30 | 48 / 33 | |
| 0.0.29 | 48 / 33 | |
| 0.0.28 | 47 / 33 | |
| 0.0.27 | 47 / 33 | |
| 0.0.26 | 47 / 33 | |
| 0.0.25 | 47 / 33 | |
| 0.0.24 | 52 / 41 | |
| 0.0.23 | 52 / 41 | |
| 0.0.22 | 52 / 41 | |
| 0.0.21 | 52 / 41 | |
| 0.0.20 | 52 / 41 | |
| 0.0.19 | 51 / 41 | |
| 0.0.18 | 51 / 41 | |
| 0.0.17 | 51 / 41 | |
| 0.0.16 | 52 / 41 | |
| 0.0.15 | 52 / 41 | |
| 0.0.14 | 52 / 41 | |
| 0.0.13 | 52 / 41 | |
| 0.0.12 | 52 / 41 | |
| 0.0.11 | 53 / 42 |
v0.0.48
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.47
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.46
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.42
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.40
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.37
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.