multihashes
multihash implementation
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/src/constants.d.ts | AI (source-diff): Generated TypeScript declaration file with long union type lines enumerating hash names — not obfuscation. Expected artifact from aegir build for a multihash constants package. | ai | |
| source-diff | obfuscated-file:dist/src/index.d.ts | AI (source-diff): Generated TypeScript declaration file with long union type lines enumerating hash codes — not obfuscation. Expected artifact from aegir build for a multihash constants package. | ai | |
| provenance | publisher-changed | AI (provenance): achingbrain (Alex Potsides) is a known IPFS/multiformats contributor already listed in package.json contributors; this is a legitimate org-level maintainer transition, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): achingbrain has 751 approved / 0 rejected packages and is a recognized multiformats org member; addition is a legitimate handoff. | ai |
Versions (showing 44 of 44)
| Version | Deps | Published |
|---|---|---|
| 4.0.3 | 3 / 3 | |
| 4.0.2 | 3 / 2 | |
| 4.0.1 | 3 / 2 | |
| 4.0.0 | 3 / 2 | |
| 3.1.2 | 3 / 2 | |
| 3.1.1 | 3 / 2 | |
| 3.1.0 | 3 / 2 | |
| 3.0.1 | 3 / 2 | |
| 3.0.0 | 3 / 2 | |
| 2.0.0 | 4 / 4 | |
| 1.0.1 | 3 / 4 | |
| 1.0.0 | 3 / 4 | |
| 0.4.21 | 3 / 4 | |
| 0.4.20 | 3 / 4 | |
| 0.4.19 | 3 / 4 | |
| 0.4.18 | 3 / 4 | |
| 0.4.17 | 3 / 4 | |
| 0.4.16 | 4 / 5 | |
| 0.4.15 | 2 / 5 | |
| 0.4.14 | 2 / 5 | |
| 0.4.13 | 2 / 5 | |
| 0.4.12 | 2 / 5 | |
| 0.4.11 | 2 / 5 | |
| 0.4.10 | 2 / 5 | |
| 0.4.9 | 2 / 5 | |
| 0.4.8 | 2 / 5 | |
| 0.4.7 | 2 / 5 | |
| 0.4.5 | 2 / 5 | |
| 0.4.4 | 2 / 4 | |
| 0.4.3 | 2 / 4 | |
| 0.4.2 | 2 / 4 | |
| 0.4.1 | 2 / 4 | |
| 0.4.0 | 1 / 4 | |
| 0.3.3 | 1 / 4 | |
| 0.3.2 | 1 / 4 | |
| 0.3.1 | 1 / 4 | |
| 0.3.0 | 1 / 4 | |
| 0.2.2 | 1 / 4 | |
| 0.2.1 | 2 / 7 | |
| 0.2.0 | 2 / 6 | |
| 0.1.3 | 2 / 1 | |
| 0.1.2 | 2 / 1 | |
| 0.1.1 | 1 / 1 | |
| 0.1.0 | 1 / 1 |
v4.0.3
2 findingsThis version was published by a different npm account than previous versions on 2021-08-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-01-26. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-01-13. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-11-24. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-03. This could indicate a legitimate maintainer transition or an account compromise.