bittorrent-dht — Greenflagged

Simple, robust, BitTorrent DHT implementation

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ferossmafintoshfletwatsondiegorbaquerohicom150jhieseywebtorrent-botalxhotel

Keywords

torrentbittorrentdhtdistributed hash tableprotocolpeerp2ppeer-to-peer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): webtorrent org migrated to GitHub Actions CI publishing with SLSA attestation; stable pattern for this package going forward.	ai	2026/05/28
dependencies	unvetted-dep:lru	AI (dependencies): lru is a legitimate, well-known caching library appropriate for DHT implementations.	ai	2026/04/25
dependencies	unvetted-dep:k-rpc	AI (dependencies): k-rpc is a core DHT RPC library from the WebTorrent/feross ecosystem, expected dependency.	ai	2026/04/25
dependencies	unvetted-dep:bencode	AI (dependencies): bencode is the standard BitTorrent encoding library, a fundamental dependency for any DHT implementation.	ai	2026/04/25
semgrep	semgrep:hex-decode	AI (semgrep): Hex-to-Buffer conversion is standard and expected in a BitTorrent DHT implementation for handling node IDs and info hashes. No obfuscation or malicious payload.	ai	2026/04/25
dependencies	unvetted-dep:record-cache	AI (dependencies): record-cache is a legitimate utility from the WebTorrent ecosystem, appropriate for DHT peer caching.	ai	2026/04/25
dependencies	unvetted-dep:last-one-wins	AI (dependencies): last-one-wins is a small utility library from the feross/WebTorrent ecosystem, no risk signals.	ai	2026/04/25
dependencies	unvetted-dep:k-bucket	AI (dependencies): k-bucket implements Kademlia routing tables, a core data structure for DHT; expected dependency.	ai	2026/04/25

Versions (showing 3 of 3)

Version	Deps	Published
11.0.12	8 / 8	2026-05-25
11.0.11	8 / 8	2025-09-14
11.0.10	8 / 8	2025-05-14

v11.0.12

2 findings

HIGH Publisher changed: webtorrent-bot → GitHub Actions (on 2026-05-25) provenance

This version was published by a different npm account than previous versions on 2026-05-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.0.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v11.0.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.