@bananapus/swap-terminal-v6
2
Versions
—
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
simplemachineme.jangofilipviz
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall uses sed to patch Solidity import paths in a test helper file — standard Foundry/npm interop pattern for this org's packages. No network calls or code execution. | ai | |
| npm-metadata | url-dep:@uniswap/v3-core | AI (npm-metadata): GitHub-pinned Uniswap official repo is standard practice in Solidity/Foundry projects; not a supply chain risk for this package type. | ai | |
| npm-metadata | url-dep:@uniswap/v3-periphery | AI (npm-metadata): GitHub-pinned Uniswap official repo is standard practice in Solidity/Foundry projects; not a supply chain risk for this package type. | ai | |
| phantom-deps | phantom-dep:@uniswap/permit2 | AI (phantom-deps): Solidity/Foundry package uses npm deps as remapping sources in foundry.toml, not JS imports. Phantom dep pattern is expected. | ai | |
| phantom-deps | phantom-dep:@uniswap/v3-core | AI (phantom-deps): Solidity/Foundry package uses npm deps as remapping sources in foundry.toml, not JS imports. Phantom dep pattern is expected. | ai | |
| phantom-deps | phantom-dep:@uniswap/v3-periphery | AI (phantom-deps): Solidity/Foundry package uses npm deps as remapping sources in foundry.toml, not JS imports. Phantom dep pattern is expected. | ai | |
| npm-metadata | url-dep:@uniswap/permit2 | AI (npm-metadata): GitHub-pinned Uniswap official repo is standard practice in Solidity/Foundry projects; not a supply chain risk for this package type. | ai | |
| phantom-deps | phantom-dep:@bananapus/permission-ids-v6 | AI (phantom-deps): Same-org Solidity dependency used via Foundry remappings, not JS imports. Expected pattern for this package type. | ai | |
| phantom-deps | phantom-dep:@openzeppelin/contracts | AI (phantom-deps): OpenZeppelin contracts used via Foundry remappings in Solidity project, not JS imports. Expected pattern. | ai | |
| phantom-deps | phantom-dep:@exhausted-pigeon/uniswap-v3-foundry-pool | AI (phantom-deps): Foundry testing utility used via remappings, not JS imports. Expected pattern for Solidity test packages. | ai | |
| phantom-deps | phantom-dep:@exhausted-pigeon/uniswap-v3-foundry-quote | AI (phantom-deps): Foundry testing utility used via remappings, not JS imports. Expected pattern for Solidity test packages. | ai | |
| phantom-deps | phantom-dep:@bananapus/core-v6 | AI (phantom-deps): Same-org Solidity dependency used via Foundry remappings, not JS imports. Expected pattern for this package type. | ai |
v0.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.