ipfs-client
A client library to talk to local IPFS daemons
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): ipfs-npm-publisher-bot is the established automated publisher for this package; missing gitHead reflects a CI/CD environment change, not a security concern, and is stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established IPFS ecosystem package predating Sigstore provenance; low risk given publisher track record. | ai | |
| source-diff | net-exec-file:index.min.js | AI (source-diff): index.min.js is a standard aegir-generated UMD browser bundle for the IPFS client. Network calls are IPFS protocol comms; dynamic require is a UMD shim. Not malware. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to addition of a webpack bundle (dist/index.min.js) via the new prepublishOnly build step using aegir, the standard IPFS ecosystem build tool. | ai | |
| source-diff | net-exec-file:dist/index.min.js | AI (source-diff): dist/index.min.js is a standard webpack bundle of the IPFS client library. Network calls and dynamic module loading (webpack boilerplate) are expected; not a dropper/loader. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to achingbrain is a legitimate IPFS project maintainer transition; achingbrain is a well-established npm publisher with strong track record. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of brosenan is part of a legitimate IPFS project maintainer transition to the core team. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Transfer to achingbrain (IPFS core contributor, 755 approved packages) and ipfs-npm-publisher-bot is a documented IPFS project consolidation, not a hijack. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): achingbrain and ipfs-npm-publisher-bot are standard IPFS project maintainers; addition is consistent with official project governance. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): spawn('ipfs', ['add', '-q']) is the documented, transparent way this library interacts with the local IPFS daemon. Stable false positive for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): ipfs-client wraps the local IPFS CLI via child_process by design; this is the core mechanism of the library, not malicious behavior. | ai |
Versions (showing 44 of 44)
| Version | Deps | Published |
|---|---|---|
| 0.10.1 | 3 / 1 | |
| 0.10.0 | 3 / 1 | |
| 0.9.2 | 3 / 1 | |
| 0.9.1 | 3 / 1 | |
| 0.9.0 | 3 / 1 | |
| 0.8.3 | 3 / 1 | |
| 0.8.2 | 3 / 1 | |
| 0.8.1 | 3 / 1 | |
| 0.8.0 | 3 / 1 | |
| 0.7.9 | 3 / 2 | |
| 0.7.8 | 3 / 2 | |
| 0.7.7 | 3 / 2 | |
| 0.7.6 | 3 / 2 | |
| 0.7.5 | 3 / 2 | |
| 0.7.4 | 3 / 2 | |
| 0.7.3 | 3 / 2 | |
| 0.7.2 | 3 / 2 | |
| 0.7.1 | 3 / 2 | |
| 0.7.0 | 3 / 2 | |
| 0.6.6 | 3 / 2 | |
| 0.6.5 | 3 / 2 | |
| 0.6.4 | 3 / 2 | |
| 0.6.3 | 3 / 2 | |
| 0.6.2 | 3 / 2 | |
| 0.6.1 | 3 / 2 | |
| 0.6.0 | 3 / 2 | |
| 0.5.1 | 3 / 2 | |
| 0.5.0 | 3 / 2 | |
| 0.4.3 | 3 / 2 | |
| 0.4.2 | 3 / 2 | |
| 0.4.1 | 3 / 2 | |
| 0.4.0 | 3 / 2 | |
| 0.3.5 | 3 / 2 | |
| 0.3.4 | 3 / 2 | |
| 0.3.3 | 3 / 2 | |
| 0.3.2 | 3 / 2 | |
| 0.3.1 | 3 / 2 | |
| 0.3.0 | 3 / 2 | |
| 0.2.2 | 3 / 3 | |
| 0.2.1 | 3 / 3 | |
| 0.2.0 | 3 / 3 | |
| 0.1.2 | 1 / 1 | |
| 0.1.1 | 1 / 1 | |
| 0.1.0 | 1 / 1 |
v0.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: achingbrain.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.8
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: achingbrain.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-05. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ipfs-npm-publisher-bot.
v0.7.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ipfs-npm-publisher-bot.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-27. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
3 findingsAll previous maintainers (brosenan) were replaced by new maintainers (achingbrain, ipfs-npm-publisher-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2021-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.