@bananapus/router-terminal-v6
`@bananapus/router-terminal-v6` is a routing terminal for Juicebox V6. It accepts value in many input tokens, discovers what token the destination project actually accepts, and forwards the payment through the best route it can resolve from the configured
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@bananapus/address-registry-v6 | AI (phantom-deps): Solidity dependency resolved by Foundry, not Node imports; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:@bananapus/univ4-router-v6 | AI (phantom-deps): Same-org Solidity dep used via remappings, not JS imports; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@uniswap/permit2 | AI (dependencies): Uniswap permit2 is referenced via GitHub URL as is standard practice in Solidity/Foundry projects; this is a compile-time dependency for Solidity contracts, not a runtime JS dependency. | ai | |
| phantom-deps | phantom-dep:@uniswap/permit2 | AI (phantom-deps): Foundry Solidity project; deps are referenced via remappings in config, not JS imports. Not a phantom dep in the malicious sense. | ai | |
| phantom-deps | phantom-dep:@uniswap/v3-core | AI (phantom-deps): Foundry Solidity project; deps are referenced via remappings in config, not JS imports. | ai | |
| phantom-deps | phantom-dep:@uniswap/v4-core | AI (phantom-deps): Foundry Solidity project; deps are referenced via remappings in config, not JS imports. | ai | |
| phantom-deps | phantom-dep:@uniswap/v3-periphery | AI (phantom-deps): Foundry Solidity project; deps are referenced via remappings in config, not JS imports. | ai | |
| npm-metadata | url-dep:@uniswap/permit2 | AI (npm-metadata): Solidity contract package; GitHub-pinned Uniswap deps are standard Foundry ecosystem practice as these packages lack npm-published Solidity builds. | ai | |
| phantom-deps | phantom-dep:@bananapus/core-v6 | AI (phantom-deps): Same-org Solidity dependency referenced via Foundry remappings; not a phantom dep concern. | ai | |
| phantom-deps | phantom-dep:@bananapus/buyback-hook-v6 | AI (phantom-deps): Same-org Solidity dependency referenced via Foundry remappings; not a phantom dep concern. | ai | |
| phantom-deps | phantom-dep:@bananapus/permission-ids-v6 | AI (phantom-deps): Same-org Solidity dependency referenced via Foundry remappings; not a phantom dep concern. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is absent but this is common (~88% of npm packages lack it); no other risk signals present. | ai | |
| phantom-deps | phantom-dep:@openzeppelin/contracts | AI (phantom-deps): Foundry Solidity project; OpenZeppelin contracts referenced via remappings, not JS imports. | ai | |
| npm-metadata | url-dep:@uniswap/v3-core | AI (npm-metadata): Solidity contract package; GitHub-pinned Uniswap deps are standard Foundry ecosystem practice. | ai | |
| npm-metadata | url-dep:@uniswap/v3-periphery | AI (npm-metadata): Solidity contract package; GitHub-pinned Uniswap deps are standard Foundry ecosystem practice. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 0.0.49 | 9 / 1 | |
| 0.0.48 | 9 / 1 | |
| 0.0.47 | 9 / 1 | |
| 0.0.46 | 9 / 1 | |
| 0.0.45 | 9 / 1 | |
| 0.0.44 | 9 / 1 | |
| 0.0.43 | 9 / 1 | |
| 0.0.42 | 9 / 1 | |
| 0.0.41 | 9 / 1 | |
| 0.0.40 | 9 / 1 | |
| 0.0.39 | 9 / 1 | |
| 0.0.33 | 8 / 1 | |
| 0.0.32 | 8 / 1 | |
| 0.0.30 | 8 / 1 | |
| 0.0.29 | 8 / 1 | |
| 0.0.28 | 8 / 1 | |
| 0.0.27 | 8 / 1 | |
| 0.0.26 | 8 / 1 | |
| 0.0.25 | 8 / 1 | |
| 0.0.24 | 8 / 1 | |
| 0.0.21 | 8 / 1 | |
| 0.0.20 | 8 / 1 | |
| 0.0.18 | 7 / 1 | |
| 0.0.9 | 6 / 1 |
v0.0.49
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.