@cowprotocol/sdk-cow-shed

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

fairlightethcowprotocol_devharisangfedgiacanxolin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher is GitHub Actions with SLSA Sigstore attestation; CI/CD publish is the documented release process for this org.	ai	2026/05/30
source-diff	encoded-string-file:dist/index.js	AI (source-diff): Long hex strings are EVM bytecode constants (proxy init code) — standard for blockchain SDK packages.	ai	2026/05/29
source-diff	encoded-string-file:dist/index.mjs	AI (source-diff): Same EVM bytecode constants in ESM build; stable false positive for this package.	ai	2026/05/29
source-diff	encoded-string-file:dist/index.d.mts	AI (source-diff): Type declaration file embedding the same EVM bytecode hex constants; benign for this package.	ai	2026/05/29
source-diff	encoded-string-file:dist/index.d.ts	AI (source-diff): Type declaration file embedding the same EVM bytecode hex constants; benign for this package.	ai	2026/05/29
dependencies	unvetted-dep:@cowprotocol/sdk-common	AI (dependencies): Same-org sibling package; stable dependency pattern across versions.	ai	2026/05/27
dependencies	unvetted-dep:@cowprotocol/sdk-contracts-ts	AI (dependencies): Same-org sibling package; stable dependency pattern across versions.	ai	2026/05/27

Versions (showing 47 of 47)

Version	Deps	Published
0.3.13	3 / 18	2026-06-08
0.3.12	3 / 18	2026-06-02
0.3.11	3 / 18	2026-05-27
0.3.10	3 / 18	2026-05-22
0.3.9	3 / 18	2026-05-20
0.3.8	3 / 18	2026-04-20
0.3.7	3 / 18	2026-04-16
0.3.6	3 / 18	2026-04-14
0.3.5	3 / 18	2026-04-08
0.3.4	3 / 18	2026-04-01
0.3.3	3 / 18	2026-03-17
0.3.2	3 / 18	2026-03-17
0.3.1	3 / 18	2026-03-16
0.3.0	3 / 18	2026-03-16
0.2.22	3 / 18	2026-03-10
0.2.21	3 / 18	2026-03-04
0.2.20	3 / 18	2026-03-04
0.2.19	3 / 18	2026-02-20
0.2.18	3 / 18	2026-02-19
0.2.17	3 / 18	2026-02-05
0.2.16	3 / 18	2026-02-02
0.2.15	3 / 18	2026-02-02
0.2.14	3 / 18	2026-01-28
0.2.13	3 / 18	2026-01-28
0.2.12	3 / 18	2026-01-22
0.2.11	3 / 18	2026-01-21
0.2.10	3 / 18	2026-01-19
0.2.9	3 / 18	2025-12-19
0.2.8	3 / 18	2025-12-11
0.2.7	3 / 18	2025-12-10
0.2.6	3 / 18	2025-12-05
0.2.5	3 / 18	2025-12-04
0.2.3	3 / 18	2025-11-27
0.2.2	3 / 18	2025-11-24
0.2.1	3 / 18	2025-11-24
0.2.0	3 / 18	2025-11-07
0.1.10	3 / 18	2025-11-05
0.1.9	3 / 18	2025-10-30
0.1.8	3 / 18	2025-10-29
0.1.7	3 / 18	2025-10-24
0.1.6	3 / 18	2025-10-15
0.1.5	3 / 18	2025-10-08
0.1.4	3 / 18	2025-10-06
0.1.3	3 / 18	2025-09-24
0.1.2	3 / 18	2025-09-23
0.1.1	3 / 18	2025-09-22
0.1.0	3 / 18	2025-09-17

v0.3.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.9

6 findings

HIGH Publisher changed: cowprotocol_dev → GitHub Actions (on 2026-05-20) provenance

This version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.

HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/index.mjs source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/index.d.mts source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/index.d.ts source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.8

6 findings

HIGH Publisher changed: cowprotocol_dev → GitHub Actions (on 2026-04-20) provenance

This version was published by a different npm account than previous versions on 2026-04-20. This could indicate a legitimate maintainer transition or an account compromise.