@cofhe/sdk
SDK for Fhenix COFHE coprocessor interaction
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:idb-keyval | AI (phantom-deps): IndexedDB wrapper for browser storage; used in web builds. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Zod is used for schema validation; declared and legitimately imported. | ai | |
| phantom-deps | phantom-dep:tfhe | AI (phantom-deps): TFHE library for FHE operations; core dependency for this SDK. | ai | |
| phantom-deps | phantom-dep:viem | AI (phantom-deps): Viem is used for blockchain interaction; declared and imported. | ai | |
| phantom-deps | phantom-dep:immer | AI (phantom-deps): Immer used with zustand for state management; legitimately imported. | ai | |
| phantom-deps | phantom-dep:zustand | AI (phantom-deps): Zustand state manager; core dependency for this SDK. | ai | |
| phantom-deps | phantom-dep:node-tfhe | AI (phantom-deps): Node.js TFHE binding; used for server-side FHE operations. | ai | |
| phantom-deps | phantom-dep:tweetnacl | AI (phantom-deps): TweetNaCl for cryptographic operations; legitimately imported. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw-IP hits are 127.0.0.1 loopback for Hardhat local node health checks; benign for this package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.6.0 | 8 / 16 | |
| 0.5.2 | 8 / 16 | |
| 0.5.1 | 8 / 16 | |
| 0.5.0 | 8 / 16 | |
| 0.4.0 | 8 / 15 | |
| 0.3.2 | 8 / 15 | |
| 0.3.1 | 8 / 15 | |
| 0.3.0 | 8 / 15 | |
| 0.2.1 | 8 / 15 | |
| 0.2.0 | 8 / 15 | |
| 0.1.1 | 8 / 15 | |
| 0.1.0 | 8 / 15 |
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.