@blockrun/clawrouter
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Same viem EVM bytecode constants; stable false positive for this blockchain routing package. | ai | |
| source-diff | encoded-string-file:dist/cli.js | AI (source-diff): Long hex strings are EVM bytecode constants from viem library (deployless call, multicall3); not obfuscated payloads. | ai | |
| phantom-deps | phantom-dep:@x402/core | AI (phantom-deps): Part of the @x402 micropayment suite; referenced in config/plugin files. Stable false positive for this package's architecture. | ai | |
| phantom-deps | phantom-dep:@x402/fetch | AI (phantom-deps): Config-referenced dep for x402 payment protocol integration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@solana/kit | AI (phantom-deps): Config-referenced dep for Solana payment support; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@scure/bip39 | AI (phantom-deps): Config-referenced cryptographic dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:viem | AI (phantom-deps): viem is an EVM library used in config/plugin context; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@scure/bip32 | AI (phantom-deps): Config-referenced cryptographic dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@x402/evm | AI (phantom-deps): Deps are referenced in config/plugin files for dynamic loading in the openclaw plugin architecture; not a real phantom dep for this package. | ai | |
| phantom-deps | phantom-dep:@x402/svm | AI (phantom-deps): Same as @x402/evm — config-referenced dep for plugin architecture, stable false positive. | ai | |
| dependencies | unvetted-peer-dep:openclaw | AI (dependencies): openclaw is an optional peer dep from the same BlockRun ecosystem; it's also a devDependency, indicating intentional use. Stable false positive for this package. | ai |
Versions (showing 100 of 385)
| Version | Deps | Published |
|---|---|---|
| 0.12.99 | 7 / 9 | |
| 0.12.98 | 7 / 9 | |
| 0.12.97 | 7 / 9 | |
| 0.12.96 | 7 / 9 | |
| 0.12.95 | 7 / 9 | |
| 0.12.94 | 7 / 9 | |
| 0.12.93 | 7 / 9 | |
| 0.12.92 | 7 / 9 | |
| 0.12.91 | 7 / 9 | |
| 0.12.90 | 7 / 9 | |
| 0.12.89 | 7 / 9 | |
| 0.12.88 | 7 / 9 | |
| 0.12.87 | 7 / 9 | |
| 0.12.86 | 7 / 9 | |
| 0.12.85 | 7 / 9 | |
| 0.12.84 | 7 / 9 | |
| 0.12.83 | 7 / 9 | |
| 0.12.82 | 7 / 9 | |
| 0.12.81 | 7 / 9 | |
| 0.12.80 | 7 / 9 | |
| 0.12.79 | 7 / 9 | |
| 0.12.78 | 7 / 9 | |
| 0.12.77 | 7 / 9 | |
| 0.12.76 | 7 / 9 | |
| 0.12.75 | 7 / 9 | |
| 0.12.74 | 7 / 9 | |
| 0.12.73 | 7 / 9 | |
| 0.12.72 | 7 / 9 | |
| 0.12.71 | 7 / 9 | |
| 0.12.70 | 7 / 9 | |
| 0.12.69 | 7 / 9 | |
| 0.12.68 | 7 / 9 | |
| 0.12.67 | 7 / 9 | |
| 0.12.66 | 7 / 9 | |
| 0.12.65 | 7 / 9 | |
| 0.12.64 | 7 / 9 | |
| 0.12.63 | 7 / 9 | |
| 0.12.62 | 7 / 9 | |
| 0.12.61 | 7 / 9 | |
| 0.12.60 | 7 / 9 | |
| 0.12.56 | 7 / 9 | |
| 0.12.55 | 7 / 9 | |
| 0.12.54 | 7 / 9 | |
| 0.12.53 | 8 / 9 | |
| 0.12.52 | 8 / 9 | |
| 0.12.51 | 8 / 9 | |
| 0.12.50 | 8 / 9 | |
| 0.12.49 | 8 / 9 | |
| 0.12.48 | 8 / 9 | |
| 0.12.47 | 8 / 9 | |
| 0.12.46 | 8 / 9 | |
| 0.12.45 | 8 / 9 | |
| 0.12.44 | 8 / 9 | |
| 0.12.43 | 8 / 9 | |
| 0.12.42 | 8 / 9 | |
| 0.12.41 | 8 / 9 | |
| 0.12.40 | 8 / 9 | |
| 0.12.39 | 8 / 9 | |
| 0.12.38 | 8 / 9 | |
| 0.12.37 | 8 / 9 | |
| 0.12.36 | 8 / 9 | |
| 0.12.35 | 8 / 9 | |
| 0.12.34 | 8 / 9 | |
| 0.12.33 | 8 / 9 | |
| 0.12.32 | 8 / 9 | |
| 0.12.31 | 8 / 9 | |
| 0.12.30 | 8 / 9 | |
| 0.12.29 | 8 / 9 | |
| 0.12.28 | 8 / 9 | |
| 0.12.27 | 8 / 9 | |
| 0.12.26 | 8 / 9 | |
| 0.12.25 | 8 / 9 | |
| 0.12.24 | 8 / 9 | |
| 0.12.23 | 8 / 9 | |
| 0.12.22 | 8 / 9 | |
| 0.12.21 | 8 / 9 | |
| 0.12.20 | 8 / 9 | |
| 0.12.19 | 8 / 9 | |
| 0.12.18 | 8 / 9 | |
| 0.12.17 | 8 / 9 | |
| 0.12.16 | 8 / 9 | |
| 0.12.13 | 8 / 9 | |
| 0.12.12 | 8 / 9 | |
| 0.12.11 | 8 / 9 | |
| 0.12.10 | 8 / 9 | |
| 0.12.9 | 8 / 9 | |
| 0.12.8 | 8 / 9 | |
| 0.12.7 | 8 / 9 | |
| 0.12.6 | 8 / 9 | |
| 0.12.5 | 8 / 9 | |
| 0.12.4 | 8 / 9 | |
| 0.12.3 | 8 / 9 | |
| 0.12.2 | 8 / 9 | |
| 0.12.1 | 8 / 9 | |
| 0.12.0 | 8 / 9 | |
| 0.11.14 | 8 / 9 | |
| 0.11.13 | 8 / 9 | |
| 0.11.12 | 1 / 9 | |
| 0.11.11 | 1 / 9 | |
| 0.11.10 | 1 / 9 |
v0.12.99
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.98
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.97
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.96
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.95
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.94
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.93
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.92
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.91
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.90
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.89
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.88
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.87
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.86
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.85
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.84
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.83
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.82
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.81
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.80
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.79
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.78
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.77
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.75
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.73
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.71
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.69
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.68
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.66
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.65
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.64
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.63
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.62
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.61
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.60
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.56
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.55
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.54
3 findingsModified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.