@across-protocol/sdk
Across is a system that quickly moves tokens across chains. This repository contains shareable code and libraries for Across.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): New files are typechain-generated ABI bindings (Tron_SpokePool); consistent with SDK's pattern of adding chain support. | ai | |
| dependencies | unvetted-dep:@uma/sdk | AI (dependencies): Long-standing dependency of this protocol SDK; stable across many versions. | ai | |
| dependencies | unvetted-dep:@eth-optimism/sdk | AI (dependencies): Official Optimism SDK; expected dependency for a cross-chain bridge protocol. | ai | |
| dependencies | unvetted-dep:@pinata/sdk | AI (dependencies): IPFS pinning SDK; expected utility dependency for a DeFi protocol. | ai | |
| dependencies | unvetted-dep:@across-protocol/across-token | AI (dependencies): First-party dependency from the same org; expected in this SDK. | ai | |
| source-diff | encoded-string-file:dist/esm/utils/Multicall.js | AI (source-diff): Same Multicall3 deployment calldata in compiled ESM output; not a malicious payload. | ai | |
| source-diff | encoded-string-file:src/utils/Multicall.ts | AI (source-diff): Canonical Multicall3 pre-signed deployment transaction hex; well-documented and stable across versions. | ai | |
| source-diff | encoded-string-file:dist/cjs/utils/Multicall.js | AI (source-diff): Same Multicall3 deployment calldata in compiled CJS output; not a malicious payload. | ai | |
| phantom-deps | phantom-dep:@solana-program/token-2022 | AI (phantom-deps): Token-2022 referenced in config for SVM support; stable false positive. | ai | |
| phantom-deps | phantom-dep:@solana/web3.js | AI (phantom-deps): Referenced in config files only; stable false positive for this blockchain SDK. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Build script for bigint-buffer native binding; consistent with blockchain SDK use across all versions. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used only in build-bigint-buffer.js for native compilation; not a runtime concern. | ai | |
| phantom-deps | phantom-dep:node-gyp | AI (phantom-deps): node-gyp is a known implicit dependency for native builds; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:big-number | AI (phantom-deps): Referenced in config files only; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/mocha | AI (phantom-deps): Framework-scoped type package; stable false positive. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 492 versions published; CI/CD with SLSA provenance; dormancy flag likely a heuristic artifact for this active package. | ai | |
| phantom-deps | phantom-dep:@uma/contracts-node | AI (phantom-deps): Legitimate dependency for UMA protocol contracts; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:winston-transport | AI (phantom-deps): Listed as runtime dep in package.json; phantom-dep heuristic false positive. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of Solana simulation return data; standard SVM interaction pattern. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding of blockchain relay data hashes; standard pattern for this SDK. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 4.3.156 | 24 / 34 | |
| 4.3.155 | 24 / 34 | |
| 4.3.151 | 24 / 34 | |
| 4.3.150 | 24 / 34 | |
| 4.3.37 | 26 / 51 | |
| 4.3.33 | 26 / 51 | |
| 4.3.32 | 26 / 51 | |
| 4.3.20 | 26 / 51 | |
| 4.3.8 | 26 / 50 | |
| 4.3.6 | 26 / 50 | |
| 4.2.5 | 26 / 50 | |
| 4.1.57 | 24 / 50 | |
| 4.1.55 | 24 / 50 | |
| 4.1.48 | 24 / 50 |
v4.3.156
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.155
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.151
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.150
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.20
2 findingsScript: node scripts/build-bigint-buffer.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.8
2 findingsScript: node scripts/build-bigint-buffer.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.6
2 findingsScript: node scripts/build-bigint-buffer.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.5
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.57
4 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.55
4 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.48
2 findingsScript: node scripts/build-bigint-buffer.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.