@algorandfoundation/algokit-utils
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@algorandfoundation/tealscript | AI (phantom-deps): Same-org runtime dependency; declared in package.json but used indirectly — stable false positive for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is a core, documented operation for Algorand address handling in this SDK utility library. All instances reflect legitimate protocol-level address encoding/decoding via algosdk, not payload obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Established Algorand Foundation package with 1144 days history and 331 versions. Lack of Sigstore provenance is common and not a meaningful risk signal here. | ai |
v9.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.