← Home

@cef-ai/client-sdk

npm Repository Homepage

CEF AI Client SDK

10
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cere-io

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IP is 127.0.0.1 localhost fallback in an example file, not a malicious endpoint. ai
semgrep semgrep:base64-decode AI (semgrep): Standard cross-environment base64-to-Uint8Array utility; no payload hiding. ai
phantom-deps phantom-dep:cross-fetch AI (phantom-deps): Declared dep used transitively or conditionally in SDK bundle; stable false positive. ai
phantom-deps phantom-dep:@polkadot/util AI (phantom-deps): Declared dep used transitively or conditionally in SDK bundle; stable false positive. ai
phantom-deps phantom-dep:@polkadot/util-crypto AI (phantom-deps): Declared dep used transitively or conditionally in SDK bundle; stable false positive. ai
phantom-deps phantom-dep:@cere-activity-sdk/ciphers AI (phantom-deps): Declared dep used transitively or conditionally in SDK bundle; stable false positive. ai
phantom-deps phantom-dep:@fails-components/webtransport-transport-http3-quiche AI (phantom-deps): Declared dep used transitively or conditionally in SDK bundle; stable false positive. ai

Versions (showing 10 of 10)

Version Deps Published
0.0.14 10 / 0
0.0.13 10 / 0
0.0.12 10 / 0
0.0.11 10 / 0
0.0.10 10 / 0
0.0.9 10 / 0
0.0.8 10 / 0
0.0.6 10 / 0
0.0.2 10 / 0
0.0.1 10 / 0

v0.0.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.