ipfs-grpc-client
A client library for the IPFS gRPC API
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): npm-service-account-ipfs is the IPFS project's shared CI/CD publishing account with 133 approved packages and 0 rejections; this is a legitimate org-level transition. | ai | |
| provenance | publisher-changed | AI (provenance): achingbrain is the primary js-ipfs maintainer; transition from ipfs-npm-publisher-bot to direct maintainer publishing is a documented, legitimate workflow change for this package. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is consistent with the publish workflow change from bot to direct maintainer; no other tampering indicators present. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): multiformats is the well-known IPFS ecosystem successor to cids; this is a standard migration in the js-ipfs monorepo, not a suspicious dependency addition. | ai | |
| dependencies | unvetted-dep:protobufjs | AI (dependencies): protobufjs is a well-known, widely-used protobuf library; its use is expected and appropriate for a gRPC client package. | ai | |
| provenance | no-provenance | AI (provenance): Established IPFS ecosystem package from a trusted publisher; lack of Sigstore provenance is not a security risk for this package. | ai | |
| source-diff | net-exec-file:dist/index.min.js | AI (source-diff): dist/index.min.js is a legitimate aegir-built browser bundle for the IPFS gRPC client. Network calls and dynamic patterns are expected in this gRPC/WebSocket client bundle. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to addition of a browser dist bundle (dist/index.min.js) produced by aegir build — a standard artifact for IPFS JS packages. | ai | |
| source-diff | net-exec-file:index.min.js | AI (source-diff): index.min.js is a legitimate UMD browser bundle of the ipfs-grpc-client library. Network calls are gRPC/WebSocket client operations; no dropper/loader behavior present. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are browser bundle artifacts (UMD/minified distribution) consistent with this IPFS client library adding browser support. Not injected or malicious code. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Tiny payload with no deps/description is consistent with a legitimate IPFS ecosystem namespace placeholder by a highly trusted publisher. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is a namespace reservation stub by trusted publisher achingbrain; not a malicious throwaway package. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 0.13.1 | 18 / 4 | |
| 0.13.0 | 18 / 4 | |
| 0.12.0 | 18 / 4 | |
| 0.11.1 | 18 / 4 | |
| 0.11.0 | 18 / 4 | |
| 0.10.2 | 18 / 3 | |
| 0.10.1 | 17 / 3 | |
| 0.10.0 | 17 / 3 | |
| 0.9.4 | 16 / 4 | |
| 0.9.3 | 16 / 4 | |
| 0.9.2 | 16 / 4 | |
| 0.9.1 | 16 / 4 | |
| 0.9.0 | 16 / 4 | |
| 0.8.2 | 16 / 4 | |
| 0.8.1 | 16 / 4 | |
| 0.8.0 | 16 / 4 | |
| 0.7.1 | 16 / 4 | |
| 0.7.0 | 16 / 4 | |
| 0.6.5 | 16 / 4 | |
| 0.6.4 | 16 / 4 | |
| 0.6.3 | 16 / 4 | |
| 0.6.2 | 16 / 4 | |
| 0.6.1 | 16 / 4 | |
| 0.6.0 | 16 / 4 | |
| 0.5.0 | 15 / 4 | |
| 0.4.1 | 15 / 4 | |
| 0.4.0 | 15 / 4 | |
| 0.3.3 | 15 / 4 | |
| 0.3.2 | 15 / 4 | |
| 0.3.1 | 15 / 4 | |
| 0.3.0 | 15 / 4 | |
| 0.2.5 | 13 / 4 | |
| 0.2.4 | 13 / 4 | |
| 0.2.3 | 13 / 4 | |
| 0.2.2 | 13 / 4 | |
| 0.2.1 | 13 / 4 | |
| 0.2.0 | 13 / 4 | |
| 0.1.2 | 13 / 5 | |
| 0.1.1 | 13 / 5 | |
| 0.1.0 | 13 / 5 | |
| 0.0.0 | 0 / 0 |
v0.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.11.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: achingbrain.
v0.9.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: achingbrain.
v0.9.2
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ipfs-npm-publisher-bot.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.9.1
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ipfs-npm-publisher-bot.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-27. This could indicate a legitimate maintainer transition or an account compromise.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.