@coinbase/x402 — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

coinbase-ownercoinbase-npm

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Runs a local bundled script (scripts/postinstall.js), not a remote fetch; consistent with Coinbase SDK setup pattern.	ai	2026/05/11
phantom-deps	phantom-dep:zod	AI (phantom-deps): zod is a declared runtime dependency; phantom-dep heuristic false positive for this package.	ai	2026/05/11
phantom-deps	phantom-dep:viem	AI (phantom-deps): viem is a declared runtime dependency; phantom-dep heuristic false positive for this package.	ai	2026/05/11

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.