@cartridge/controller
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/provider-Bsw_spHR.js | AI (source-diff): Vite/Rollup minified bundle output; readable code with starknet imports, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/index-C7KGk-LM.js | AI (source-diff): Standard Vite bundle output; sample shows readable, non-malicious code. Long lines are minification artifacts. | ai | |
| source-diff | obfuscated-file:dist/provider-NKp7_oNj.js | AI (source-diff): Standard Vite/Rollup bundle output; readable code with no obfuscation or encoded payloads. | ai | |
| source-diff | obfuscated-file:dist/provider-DSqqvDee.js | AI (source-diff): Standard Vite/Rollup bundle output with hashed filename; readable code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/provider-B8OiOgBt.js | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable and benign for this package. | ai | |
| source-diff | obfuscated-file:dist/provider-BgBI_LQl.js | AI (source-diff): Standard Vite/Rollup minified bundle output; sample shows readable starknet business logic, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/provider-bC9cKItb.js | AI (source-diff): Standard Vite/Rollup minified bundle; sample shows readable starknet imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/provider-D-5qL7QC.js | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable and benign for this wallet controller package. | ai | |
| source-diff | obfuscated-file:dist/provider-PftcmETC.js | AI (source-diff): Standard Vite/rollup minified bundle output; readable code with starknet imports, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/provider-CN6AecRF.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable code, no actual obfuscation or malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/provider-DSw1EyU9.js | AI (source-diff): Standard Vite/Rollup minified bundle; code is readable and matches package functionality. | ai | |
| source-diff | obfuscated-file:dist/provider-S-IvFw23.js | AI (source-diff): Standard Vite/Rollup minified ESM bundle output; content is readable and matches package functionality. | ai | |
| source-diff | obfuscated-file:dist/provider-CznCrt4b.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable code with no obfuscation indicators. | ai | |
| source-diff | obfuscated-file:dist/index-CJNujYxo.js | AI (source-diff): Standard Vite/rollup minified bundle output; readable identifiers, no encoding or obfuscation techniques present. | ai | |
| source-diff | obfuscated-file:dist/provider-BQFas4CN.js | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable and matches expected package functionality. | ai | |
| source-diff | obfuscated-file:dist/index-BdTFKueB.js | AI (source-diff): Standard Vite/rollup minified bundle output; sample shows readable starknet imports and enum patterns, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/index-CYAUAqql.js | AI (source-diff): Standard Vite/Rollup minified bundle output; readable identifiers, no suspicious payloads. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI/CD publisher with SLSA provenance attestation; legitimate automation pattern. | ai | |
| source-diff | obfuscated-file:dist/provider-s-80NdXp.js | AI (source-diff): Standard Vite/rollup minified bundle output; not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-BBfUA93L.js | AI (source-diff): Vite/Rollup build output; sample shows readable starknet code, not actual obfuscation. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cartridge/utils | AI (phantom-deps): Same-org sibling package in monorepo; phantom-dep is a stable false positive for this package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decode is standard Solana transaction serialization in utils/solana — no obfuscation concern. | ai | |
| phantom-deps | phantom-dep:@walletconnect/ethereum-provider | AI (phantom-deps): Likely used in browser bundle path; phantom-dep heuristic misses config-file imports. | ai | |
| phantom-deps | phantom-dep:@turnkey/sdk-browser | AI (phantom-deps): Likely used in browser bundle path; phantom-dep heuristic misses config-file imports. | ai | |
| phantom-deps | phantom-dep:cbor-x | AI (phantom-deps): Likely used in Node.js build/config path; phantom-dep heuristic misses config-file imports. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): Likely used in Node.js build/config path; phantom-dep heuristic misses config-file imports. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 in a test file validating iframe URL security — not a real network call. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.13.12 | 13 / 15 | |
| 0.13.11 | 13 / 15 | |
| 0.13.10 | 13 / 15 | |
| 0.13.9 | 14 / 15 | |
| 0.13.7 | 14 / 15 | |
| 0.13.6 | 14 / 15 | |
| 0.13.5 | 14 / 15 | |
| 0.13.4 | 13 / 15 | |
| 0.13.3 | 13 / 15 | |
| 0.12.2 | 13 / 15 | |
| 0.12.1 | 13 / 15 | |
| 0.12.0 | 13 / 15 | |
| 0.11.3 | 13 / 15 | |
| 0.11.2 | 13 / 15 | |
| 0.11.1 | 13 / 15 | |
| 0.10.7 | 13 / 15 | |
| 0.10.6 | 13 / 15 | |
| 0.10.5 | 13 / 15 | |
| 0.10.4 | 13 / 15 | |
| 0.10.3 | 13 / 15 | |
| 0.10.2 | 13 / 15 | |
| 0.10.1 | 13 / 15 | |
| 0.10.0 | 13 / 15 | |
| 0.9.3 | 9 / 15 | |
| 0.9.2 | 9 / 15 | |
| 0.9.1 | 9 / 15 | |
| 0.9.0 | 9 / 15 | |
| 0.8.0 | 9 / 15 | |
| 0.7.13 | 10 / 14 |
v0.13.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.11
3 findingsThis version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v0.13.9
3 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.7
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.13.6
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.13.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.13.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.13.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.12.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.