@blocklet/ai-runtime — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wangshijungxw

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@arcblock/did-connect	AI (dependencies): Same Arcblock org as this package; stable dependency across many versions.	ai	2026/05/14
provenance	no-provenance	AI (provenance): Established org package; lack of Sigstore provenance is consistent across all versions and poses no elevated risk here.	ai	2026/05/14
dependencies	unvetted-dep:@blocklet/dataset-sdk	AI (dependencies): Same @blocklet org scope; consistent with package's established ecosystem.	ai	2026/05/12
publish-pattern	dormant-publish	AI (publish-pattern): Publisher has 198 approved packages and 0 rejections; org-level release cadence explains gaps.	ai	2026/05/12
phantom-deps	phantom-dep:semver	AI (phantom-deps): Large multi-export package; phantom-dep heuristic unreliable for bundled/config-referenced deps.	ai	2026/05/12
phantom-deps	phantom-dep:express	AI (phantom-deps): Express is a peer/optional server dep referenced in config; stable false positive for this package.	ai	2026/05/12
phantom-deps	phantom-dep:node-fetch	AI (phantom-deps): Isomorphic fetch dep referenced in config; stable false positive.	ai	2026/05/12
phantom-deps	phantom-dep:json-logic-js	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/12
phantom-deps	phantom-dep:@types/express	AI (phantom-deps): Type-only dep; framework-scoped, stable false positive.	ai	2026/05/12
phantom-deps	phantom-dep:@blocklet/co-git	AI (phantom-deps): Same-org dep; stable false positive for this package.	ai	2026/05/12
phantom-deps	phantom-dep:@types/file-saver	AI (phantom-deps): Type-only dep; stable false positive.	ai	2026/05/12
phantom-deps	phantom-dep:@blocklet/constant	AI (phantom-deps): Same-org dep; stable false positive.	ai	2026/05/12
phantom-deps	phantom-dep:react-querybuilder	AI (phantom-deps): Declared runtime dep; stable false positive.	ai	2026/05/12
phantom-deps	phantom-dep:@types/react-scroll-to-bottom	AI (phantom-deps): Type-only dep; stable false positive.	ai	2026/05/12
phantom-deps	phantom-dep:@types/react-syntax-highlighter	AI (phantom-deps): Type-only dep; stable false positive.	ai	2026/05/12

Versions (showing 51 of 58)

View all versions

Version	Deps	Published
0.7.13	63 / 18	2026-01-07
0.7.12	63 / 18	2025-12-26
0.7.11	63 / 18	2025-12-23
0.7.8	63 / 18	2025-11-28
0.7.7	63 / 18	2025-11-24
0.7.6	63 / 18	2025-11-15
0.7.5	63 / 18	2025-11-14
0.7.4	63 / 18	2025-11-14
0.7.3	63 / 18	2025-11-11
0.7.2	63 / 18	2025-11-10
0.7.1	63 / 18	2025-11-09
0.7.0	63 / 18	2025-11-06
0.6.3	63 / 18	2025-11-05
0.6.2	63 / 18	2025-11-04
0.6.1	63 / 18	2025-10-29
0.6.0	63 / 18	2025-10-29
0.5.26	63 / 18	2025-10-11
0.5.25	63 / 18	2025-10-11
0.5.24	63 / 18	2025-10-11
0.5.23	63 / 18	2025-10-09
0.5.22	63 / 18	2025-10-09
0.5.21	63 / 18	2025-10-01
0.5.20	63 / 18	2025-09-15
0.5.19	63 / 18	2025-09-05
0.5.18	63 / 18	2025-09-05
0.5.17	63 / 18	2025-09-05
0.5.16	63 / 18	2025-09-02
0.5.15	63 / 18	2025-08-28
0.5.14	63 / 18	2025-08-28
0.5.13	63 / 18	2025-08-25
0.5.12	63 / 18	2025-08-22
0.5.11	63 / 18	2025-08-21
0.5.10	63 / 18	2025-08-21
0.5.9	63 / 18	2025-08-21
0.5.8	63 / 18	2025-08-20
0.5.7	63 / 18	2025-08-20
0.5.6	63 / 18	2025-08-13
0.5.5	63 / 18	2025-08-11
0.5.4	63 / 18	2025-08-11
0.5.3	63 / 18	2025-08-07
0.5.2	63 / 18	2025-08-07
0.5.1	63 / 18	2025-08-06
0.5.0	63 / 18	2025-08-06
0.4.279	62 / 18	2025-08-04
0.4.278	62 / 18	2025-08-04
0.4.277	62 / 18	2025-08-01
0.4.276	62 / 18	2025-07-05
0.4.275	63 / 18	2025-06-30
0.4.274	63 / 18	2025-06-11
0.4.273	63 / 18	2025-06-06
0.4.272	63 / 18	2025-06-04

v0.7.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.26

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.25

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.24

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.23

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.22

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.21

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.20

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.19

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.16

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.279

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.278

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.277

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.276

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.275

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.274

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.273

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.272

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.