← Home

@blocklet/sdk

npm Homepage
22
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wangshijungxw

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
bogus-package bogus-package AI (bogus-package): Established SDK with 1096 versions and 6.9k weekly downloads; missing metadata is a false positive for this package. ai
phantom-deps phantom-dep:cheerio AI (phantom-deps): Declared dependency referenced in config; stable pattern for this package. ai
phantom-deps phantom-dep:@abtnode/db-cache AI (phantom-deps): Declared dependency referenced in config; stable pattern for this package. ai
dependencies unvetted-dep:@abtnode/util AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai
dependencies unvetted-dep:@arcblock/did AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai
dependencies unvetted-dep:@arcblock/did-connect-js AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai
dependencies unvetted-dep:@arcblock/did-ext AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai
dependencies unvetted-dep:@arcblock/jwt AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai
dependencies unvetted-dep:@arcblock/ws AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai
dependencies unvetted-dep:@blocklet/constant AI (dependencies): First-party Blocklet monorepo package; stable across versions. ai
dependencies unvetted-dep:@blocklet/env AI (dependencies): First-party Blocklet monorepo package; stable across versions. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 loopback for Docker component endpoint construction; not a network exfiltration risk. ai
dependencies unvetted-dep:@blocklet/meta AI (dependencies): First-party Blocklet monorepo package; stable across versions. ai
dependencies unvetted-dep:@blocklet/server-js AI (dependencies): First-party Blocklet monorepo package; stable across versions. ai
dependencies unvetted-dep:@blocklet/theme AI (dependencies): First-party Blocklet monorepo package; stable across versions. ai
dependencies unvetted-dep:@did-connect/authenticator AI (dependencies): First-party DID Connect monorepo package; stable across versions. ai
dependencies unvetted-dep:@did-connect/handler AI (dependencies): First-party DID Connect monorepo package; stable across versions. ai
dependencies unvetted-dep:@nedb/core AI (dependencies): Known embedded DB fork; stable dependency for this package. ai
dependencies unvetted-dep:@ocap/mcrypto AI (dependencies): First-party OCAP monorepo package; stable across versions. ai
dependencies unvetted-dep:@ocap/util AI (dependencies): First-party OCAP monorepo package; stable across versions. ai
dependencies unvetted-dep:@blocklet/error AI (dependencies): First-party Blocklet monorepo package; stable across versions. ai
dependencies unvetted-dep:@abtnode/constant AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai
dependencies unvetted-dep:@abtnode/db-cache AI (dependencies): First-party ArcBlock monorepo package; stable across versions. ai

Versions (showing 22 of 22)

Version Deps Published
1.17.12 35 / 15
1.17.11 35 / 15
1.17.10 35 / 15
1.17.9 35 / 15
1.17.8 35 / 15
1.17.7 35 / 15
1.17.6 35 / 15
1.17.5 35 / 15
1.17.4 35 / 15
1.17.3 35 / 15
1.17.2 35 / 15
1.17.1 35 / 15
1.17.0 35 / 15
1.16.53 34 / 18
1.16.52 34 / 18
1.16.51 34 / 18
1.16.50 34 / 18
1.16.49 34 / 18
1.16.48 34 / 18
1.16.47 34 / 18
1.16.46 34 / 18
1.16.44 33 / 18

v1.17.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.17.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.17.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.17.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.17.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.17.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.53

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.16.52

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.16.51

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.16.50

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.16.49

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.48

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.47

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.46

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.44

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.