@blockrun/clawrouter
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Same viem EVM bytecode constants; stable false positive for this blockchain routing package. | ai | |
| source-diff | encoded-string-file:dist/cli.js | AI (source-diff): Long hex strings are EVM bytecode constants from viem library (deployless call, multicall3); not obfuscated payloads. | ai | |
| phantom-deps | phantom-dep:@x402/core | AI (phantom-deps): Part of the @x402 micropayment suite; referenced in config/plugin files. Stable false positive for this package's architecture. | ai | |
| phantom-deps | phantom-dep:@x402/fetch | AI (phantom-deps): Config-referenced dep for x402 payment protocol integration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@solana/kit | AI (phantom-deps): Config-referenced dep for Solana payment support; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@scure/bip39 | AI (phantom-deps): Config-referenced cryptographic dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:viem | AI (phantom-deps): viem is an EVM library used in config/plugin context; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@scure/bip32 | AI (phantom-deps): Config-referenced cryptographic dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@x402/evm | AI (phantom-deps): Deps are referenced in config/plugin files for dynamic loading in the openclaw plugin architecture; not a real phantom dep for this package. | ai | |
| phantom-deps | phantom-dep:@x402/svm | AI (phantom-deps): Same as @x402/evm — config-referenced dep for plugin architecture, stable false positive. | ai | |
| dependencies | unvetted-peer-dep:openclaw | AI (dependencies): openclaw is an optional peer dep from the same BlockRun ecosystem; it's also a devDependency, indicating intentional use. Stable false positive for this package. | ai |
Versions (showing 100 of 386)
| Version | Deps | Published |
|---|---|---|
| 0.11.9 | 1 / 9 | |
| 0.11.8 | 1 / 9 | |
| 0.11.7 | 1 / 9 | |
| 0.11.6 | 1 / 9 | |
| 0.11.5 | 1 / 9 | |
| 0.11.4 | 1 / 9 | |
| 0.11.3 | 1 / 9 | |
| 0.11.2 | 1 / 9 | |
| 0.11.1 | 1 / 9 | |
| 0.11.0 | 1 / 9 | |
| 0.10.22 | 1 / 9 | |
| 0.10.21 | 1 / 9 | |
| 0.10.20 | 1 / 9 | |
| 0.10.19 | 1 / 9 | |
| 0.10.18 | 1 / 9 | |
| 0.10.17 | 1 / 9 | |
| 0.10.16 | 1 / 9 | |
| 0.10.15 | 1 / 9 | |
| 0.10.14 | 1 / 9 | |
| 0.10.13 | 1 / 9 | |
| 0.10.12 | 1 / 9 | |
| 0.10.11 | 1 / 9 | |
| 0.10.10 | 1 / 9 | |
| 0.10.9 | 1 / 9 | |
| 0.10.8 | 1 / 9 | |
| 0.10.7 | 1 / 9 | |
| 0.10.6 | 1 / 9 | |
| 0.10.5 | 1 / 9 | |
| 0.10.4 | 1 / 9 | |
| 0.10.3 | 1 / 9 | |
| 0.10.2 | 1 / 9 | |
| 0.10.1 | 1 / 9 | |
| 0.10.0 | 1 / 9 | |
| 0.9.39 | 1 / 9 | |
| 0.9.38 | 1 / 9 | |
| 0.9.37 | 1 / 9 | |
| 0.9.36 | 1 / 8 | |
| 0.9.35 | 1 / 8 | |
| 0.9.34 | 1 / 8 | |
| 0.9.33 | 1 / 8 | |
| 0.9.32 | 1 / 8 | |
| 0.9.31 | 1 / 8 | |
| 0.9.30 | 1 / 8 | |
| 0.9.29 | 1 / 8 | |
| 0.9.28 | 1 / 8 | |
| 0.9.27 | 1 / 8 | |
| 0.9.26 | 1 / 8 | |
| 0.9.25 | 1 / 8 | |
| 0.9.24 | 1 / 8 | |
| 0.9.23 | 1 / 8 | |
| 0.9.22 | 1 / 8 | |
| 0.9.21 | 1 / 8 | |
| 0.9.20 | 1 / 8 | |
| 0.9.19 | 1 / 8 | |
| 0.9.18 | 1 / 8 | |
| 0.9.17 | 1 / 8 | |
| 0.9.16 | 1 / 8 | |
| 0.9.15 | 1 / 8 | |
| 0.9.14 | 1 / 8 | |
| 0.9.13 | 1 / 8 | |
| 0.9.12 | 1 / 8 | |
| 0.9.11 | 1 / 8 | |
| 0.9.10 | 1 / 8 | |
| 0.9.9 | 1 / 8 | |
| 0.9.8 | 1 / 7 | |
| 0.9.7 | 1 / 7 | |
| 0.9.6 | 1 / 7 | |
| 0.9.5 | 1 / 7 | |
| 0.9.4 | 1 / 7 | |
| 0.9.3 | 1 / 7 | |
| 0.9.2 | 1 / 7 | |
| 0.9.1 | 1 / 7 | |
| 0.9.0 | 1 / 7 | |
| 0.8.31 | 1 / 7 | |
| 0.8.30 | 1 / 7 | |
| 0.8.29 | 1 / 7 | |
| 0.8.28 | 1 / 7 | |
| 0.8.27 | 1 / 7 | |
| 0.8.26 | 1 / 7 | |
| 0.8.25 | 1 / 7 | |
| 0.8.24 | 1 / 7 | |
| 0.8.23 | 1 / 7 | |
| 0.8.22 | 1 / 7 | |
| 0.8.21 | 1 / 7 | |
| 0.8.20 | 1 / 7 | |
| 0.8.19 | 1 / 7 | |
| 0.8.18 | 1 / 7 | |
| 0.8.17 | 1 / 7 | |
| 0.8.16 | 1 / 7 | |
| 0.8.15 | 1 / 7 | |
| 0.8.14 | 1 / 7 | |
| 0.8.13 | 1 / 7 | |
| 0.8.12 | 1 / 7 | |
| 0.8.11 | 1 / 7 | |
| 0.8.10 | 1 / 7 | |
| 0.8.9 | 1 / 7 | |
| 0.8.8 | 1 / 7 | |
| 0.8.7 | 1 / 7 | |
| 0.8.6 | 1 / 7 | |
| 0.8.5 | 1 / 7 |
v0.11.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.