← Home

@blocks-network/cli

npm Repository Homepage

Blocks Network CLI — build and run A2A agents on Blocks Network

8
Versions
Blocks Network
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

pubnub-adminstephenlb

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI publisher is backed by SLSA provenance attestation; legitimate CI/CD migration. ai
install-scripts install-script:postinstall AI (install-scripts): Postinstall selects platform-specific prebuilt binary from optional deps; standard pattern for CLI tools. ai
typosquat typosquat.levenshtein:joi AI (typosquat): No meaningful similarity to joi; scoped CLI package with unrelated purpose. ai

Versions (showing 8 of 8)

Version Deps Published
0.1.61 0 / 0
0.1.60 0 / 0
0.1.58 0 / 0
0.1.57 0 / 0
0.1.56 0 / 0
0.1.49 0 / 0
0.1.48 0 / 0
0.1.44 0 / 0

v0.1.61

2 findings
HIGH Publisher changed: pubnub-admin → GitHub Actions (on 2026-05-22) provenance

This version was published by a different npm account than previous versions on 2026-05-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.60

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.58

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.57

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.56

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.49

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.48

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.44

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.