@cowprotocol/iframe-transport
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:index.cjs | AI (source-diff): index.cjs is a standard minified CJS bundle; content is readable iframe/postMessage transport logic with no malicious patterns. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publisher is confirmed by SLSA provenance attestation; consistent with org-level CI migration. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a well-known implicit TypeScript runtime dep; stable false positive for TS packages. | ai | |
| phantom-deps | phantom-dep:@uniswap/sdk-core | AI (phantom-deps): Peer/type dependency referenced in config; not a direct import pattern is expected. | ai | |
| phantom-deps | phantom-dep:@cowprotocol/cow-sdk | AI (phantom-deps): Same-org dependency; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@cowprotocol/sdk-bridging | AI (phantom-deps): Same-org dependency; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@web3-react/types | AI (phantom-deps): Types-only dependency; phantom-dep false positive for type packages. | ai | |
| provenance | missing-githead | AI (provenance): SLSA attestation present; gitHead absence is cosmetic and doesn't undermine supply chain integrity for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Part of cowprotocol/cowswap monorepo; sparse README and missing keywords are typical for internal library packages. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 2.2.6 | 2 / 0 | |
| 2.2.5 | 2 / 0 | |
| 2.2.4 | 2 / 0 | |
| 2.2.3 | 2 / 0 | |
| 2.2.2 | 2 / 0 | |
| 2.2.1 | 2 / 0 | |
| 2.1.0 | 2 / 0 | |
| 2.0.13 | 2 / 0 | |
| 2.0.12 | 2 / 0 | |
| 2.0.11 | 2 / 0 | |
| 2.0.10 | 2 / 0 | |
| 2.0.9 | 7 / 0 | |
| 2.0.8 | 2 / 0 | |
| 2.0.7 | 2 / 0 | |
| 2.0.6 | 2 / 0 | |
| 2.0.5 | 2 / 0 | |
| 2.0.4 | 2 / 0 | |
| 2.0.3 | 2 / 0 | |
| 2.0.2 | 2 / 0 | |
| 1.2.0 | 0 / 0 |
v2.2.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.2
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.1
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.0
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.13
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.12
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.11
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cowprotocol_dev.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.