@bananapus/suckers-v6
`@bananapus/suckers-v6` provides cross-chain bridging for Juicebox project tokens and the terminal assets that back them. A pair of suckers lets users burn on one chain, move value across a bridge, and mint the same project token representation on another
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:@uniswap/v3-core | AI (npm-metadata): Foundry/Solidity project; v3-core is a config-only dep (remappings), not a JS runtime dep. SHA pin is stable practice for this ecosystem. | ai | |
| npm-metadata | url-dep:@uniswap/v3-periphery | AI (npm-metadata): Same as v3-core — config-only Solidity remapping dep, not a JS runtime dependency. | ai | |
| npm-metadata | url-dep:@arbitrum/nitro-contracts | AI (npm-metadata): Solidity/Foundry package; GitHub URL deps for Arbitrum contracts are standard practice in this ecosystem and used only for build-time remappings, not runtime JS execution. | ai | |
| npm-metadata | url-dep:@chainlink/local | AI (npm-metadata): chainlink-local is Chainlink's official local testing library from the smartcontractkit org; GitHub dependency is standard practice in Solidity dev tooling as it's not published to npm. | ai | |
| phantom-deps | phantom-dep:@uniswap/v4-core | AI (phantom-deps): Solidity package; @uniswap/v4-core is a Foundry remapping dependency. Expected pattern for Solidity packages. | ai | |
| phantom-deps | phantom-dep:@bananapus/core-v6 | AI (phantom-deps): Same-org Solidity dependency used via Foundry remappings. Expected pattern for Bananapus Solidity packages. | ai | |
| phantom-deps | phantom-dep:@uniswap/v3-periphery | AI (phantom-deps): Solidity package; @uniswap/v3-periphery is a Foundry remapping dependency. Expected pattern for Solidity packages. | ai | |
| phantom-deps | phantom-dep:solady | AI (phantom-deps): Solidity package; solady is a Foundry remapping dependency, not a JS import. Phantom dep pattern is expected for all Solidity packages in this org. | ai | |
| phantom-deps | phantom-dep:@arbitrum/nitro-contracts | AI (phantom-deps): Solidity package; @arbitrum/nitro-contracts is a Foundry remapping dependency. Expected pattern for Solidity packages. | ai | |
| phantom-deps | phantom-dep:@chainlink/contracts-ccip | AI (phantom-deps): Solidity package; @chainlink/contracts-ccip is a Foundry remapping dependency. Expected pattern for Solidity packages. | ai | |
| phantom-deps | phantom-dep:@bananapus/permission-ids-v6 | AI (phantom-deps): Same-org Solidity dependency used via Foundry remappings. Expected pattern for Bananapus Solidity packages. | ai | |
| phantom-deps | phantom-dep:@openzeppelin/contracts | AI (phantom-deps): Solidity package; OpenZeppelin is a Foundry remapping dependency. Expected pattern for Solidity packages. | ai | |
| phantom-deps | phantom-dep:@prb/math | AI (phantom-deps): Solidity package; @prb/math is a Foundry remapping dependency, not a JS import. Expected pattern for Solidity packages. | ai | |
| phantom-deps | phantom-dep:@chainlink/local | AI (phantom-deps): Solidity package; @chainlink/local is a Foundry remapping/test dependency. Expected pattern for Solidity packages. | ai | |
| phantom-deps | phantom-dep:@uniswap/v3-core | AI (phantom-deps): Solidity package; @uniswap/v3-core is a Foundry remapping dependency. Expected pattern for Solidity packages. | ai |
Versions (showing 51 of 74)
| Version | Deps | Published |
|---|---|---|
| 0.0.75 | 8 / 4 | |
| 0.0.74 | 8 / 4 | |
| 0.0.73 | 8 / 4 | |
| 0.0.72 | 11 / 1 | |
| 0.0.71 | 11 / 1 | |
| 0.0.70 | 11 / 1 | |
| 0.0.69 | 11 / 1 | |
| 0.0.68 | 11 / 1 | |
| 0.0.67 | 11 / 1 | |
| 0.0.66 | 11 / 1 | |
| 0.0.65 | 11 / 1 | |
| 0.0.64 | 11 / 1 | |
| 0.0.63 | 11 / 1 | |
| 0.0.62 | 11 / 1 | |
| 0.0.61 | 11 / 1 | |
| 0.0.60 | 11 / 1 | |
| 0.0.59 | 11 / 1 | |
| 0.0.58 | 11 / 1 | |
| 0.0.57 | 11 / 1 | |
| 0.0.56 | 11 / 1 | |
| 0.0.55 | 11 / 1 | |
| 0.0.54 | 11 / 1 | |
| 0.0.53 | 11 / 1 | |
| 0.0.52 | 11 / 1 | |
| 0.0.51 | 11 / 1 | |
| 0.0.50 | 11 / 1 | |
| 0.0.49 | 11 / 1 | |
| 0.0.48 | 11 / 1 | |
| 0.0.47 | 11 / 1 | |
| 0.0.46 | 11 / 1 | |
| 0.0.44 | 11 / 1 | |
| 0.0.43 | 11 / 1 | |
| 0.0.42 | 11 / 1 | |
| 0.0.41 | 11 / 1 | |
| 0.0.40 | 11 / 1 | |
| 0.0.39 | 11 / 1 | |
| 0.0.38 | 11 / 1 | |
| 0.0.37 | 11 / 1 | |
| 0.0.36 | 11 / 1 | |
| 0.0.35 | 11 / 1 | |
| 0.0.34 | 11 / 1 | |
| 0.0.33 | 11 / 1 | |
| 0.0.32 | 11 / 1 | |
| 0.0.31 | 11 / 1 | |
| 0.0.30 | 11 / 1 | |
| 0.0.29 | 11 / 1 | |
| 0.0.28 | 11 / 1 | |
| 0.0.27 | 11 / 1 | |
| 0.0.26 | 11 / 1 | |
| 0.0.25 | 11 / 1 | |
| 0.0.24 | 11 / 1 |
v0.0.75
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.74
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.73
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.67
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.65
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.59
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.58
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.57
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.56
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.55
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.54
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.53
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.52
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.51
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.50
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.49
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.48
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.47
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.46
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.44
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.43
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.42
3 findingsDependency '@uniswap/v3-core' in `dependencies` points to 'github:Uniswap/v3-core#6562c52e8f75f0c10f9deaf44861847585fc8129' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Dependency '@uniswap/v3-periphery' in `dependencies` points to 'github:Uniswap/v3-periphery#b325bb0905d922ae61fcc7df85ee802e8df5e96c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.39
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.