@0glabs/0g-serving-broker

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

0g-peterzhang0g-jiahao

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New dep is the renamed successor package from the same org; shim re-export pattern, not a supply-chain injection.	ai	2026/05/15
source-diff	source-size-dropped	AI (source-diff): Intentional deprecation shim; size drop is documented and expected for this package.	ai	2026/05/15
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require resolves a fixed path under the renamed SDK package; not arbitrary module loading.	ai	2026/05/15
semgrep	semgrep:base64-decode	AI (semgrep): Decodes API config response when user passes --decode flag; legitimate CLI feature.	ai	2026/04/30
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Fires in bundled Next.js web-UI static chunk; likely a default/example IP in UI code.	ai	2026/04/30
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get in minified Next.js bundle is standard webpack/framework output.	ai	2026/04/30
phantom-deps	phantom-dep:util	AI (phantom-deps): Listed as browser polyfill override; heuristic false positive for this package.	ai	2026/04/30
phantom-deps	phantom-dep:brotli	AI (phantom-deps): Browser polyfill dependency; phantom-dep heuristic false positive.	ai	2026/04/30
phantom-deps	phantom-dep:buffer	AI (phantom-deps): Browser polyfill dependency; phantom-dep heuristic false positive.	ai	2026/04/30
semgrep	semgrep:env-spread	AI (semgrep): Fires in test file saving/restoring process.env — standard test setup pattern.	ai	2026/04/30
phantom-deps	phantom-dep:crypto-js	AI (phantom-deps): Peer dep and runtime dep; phantom-dep heuristic false positive.	ai	2026/04/30
phantom-deps	phantom-dep:circomlibjs	AI (phantom-deps): ZK library used in SDK; phantom-dep heuristic false positive.	ai	2026/04/30
phantom-deps	phantom-dep:stream-browserify	AI (phantom-deps): Browser polyfill; phantom-dep heuristic false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@ethersproject/bytes	AI (phantom-deps): Ethers polyfill dep; phantom-dep heuristic false positive.	ai	2026/04/30
phantom-deps	phantom-dep:@ethersproject/keccak256	AI (phantom-deps): Ethers polyfill dep; phantom-dep heuristic false positive.	ai	2026/04/30
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): Used in CLI env loading; phantom-dep heuristic false positive.	ai	2026/04/30
semgrep	semgrep:child-process-import	AI (semgrep): Used in CLI integration tests to invoke the CLI binary; not in runtime code.	ai	2026/04/30
semgrep	semgrep:hex-decode	AI (semgrep): Hex decode is part of standard ethers keccak256 signing flow, not payload hiding.	ai	2026/04/30

Versions (showing 3 of 3)

Version	Deps	Published
0.7.8	1 / 0	2026-04-30
0.7.7	1 / 0	2026-04-30
0.7.5	21 / 33	2026-04-14

v0.7.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.5

4 findings

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:16 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/c82c198b8ec4b33f67a6e6bfd4ca5488a7373f75/cli.commonjs/cli/__tests__/cli.integration.test.js#L16 14 | (0, mocha_1.beforeEach)(() => { 15 | // Save original environment > 16 | originalEnv = { ...process.env }; 17 | // Create temp directory for test files 18 | tempDir = fs.mkdtempSync(path.join(os.tmpdir(), '0g-cli-test-'));

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/c82c198b8ec4b33f67a6e6bfd4ca5488a7373f75/cli.commonjs/cli/__tests__/cli.integration.test.js#L64 62 | // Kill immediately to avoid interactive mode 63 | const child = (0, child_process_1.spawn)('node', [cliPath, 'login'], { > 64 | env: { ...process.env }, 65 | cwd: process.cwd(), 66 | });

HIGH env-spread: cli.commonjs/cli/web-ui-embedded.js:249 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/c82c198b8ec4b33f67a6e6bfd4ca5488a7373f75/cli.commonjs/cli/web-ui-embedded.js#L249 247 | cwd: standalonePath, 248 | stdio: 'inherit', > 249 | env: { 250 | ...process.env, 251 | PORT: port.toString(),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.