@cubist-labs/cubesigner-sdk

CubeSigner TypeScript SDK

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mlfbrown_cubistamilicevicnoetzli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/src/audit_log.js	AI (source-diff): Long lines are generated zod discriminatedUnion type definitions, not obfuscated code.	ai	2026/05/12
source-diff	obfuscated-file:dist/src/audit_log.d.ts	AI (source-diff): Long lines are generated TypeScript union type declarations from zod schema, not obfuscated code.	ai	2026/05/12
source-diff	encoded-string-file:dist/src/schema.d.ts	AI (source-diff): Long string is a Solana base64 example value in an OpenAPI spec comment, not a payload.	ai	2026/05/12
source-diff	encoded-string-file:src/schema.ts	AI (source-diff): Long string is a Solana base64 example value in an OpenAPI spec comment, not a payload.	ai	2026/05/12
semgrep	semgrep:hex-decode	AI (semgrep): Routine hex parsing utility in a crypto/signing SDK; not a payload-hiding pattern.	ai	2026/04/30
semgrep	semgrep:base64-decode	AI (semgrep): Standard base64 decode utility in a crypto SDK; expected and benign.	ai	2026/04/30

Versions (showing 13 of 13)

Version	Deps	Published
0.4.254	2 / 2	2026-05-22
0.4.252	2 / 2	2026-05-19
0.4.250	2 / 2	2026-05-14
0.4.247	2 / 2	2026-05-12
0.4.246	2 / 2	2026-05-11
0.4.244	2 / 2	2026-05-06
0.4.241	2 / 2	2026-04-29
0.4.239	2 / 2	2026-04-28
0.4.237	1 / 2	2026-04-24
0.4.236	1 / 2	2026-04-20
0.4.231	1 / 2	2026-04-03
0.4.229	1 / 2	2026-03-31
0.4.228	1 / 2	2026-03-30

v0.4.254

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.252

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.250

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.247

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.246

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.244

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.241

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.239

5 findings

HIGH New obfuscated file: dist/src/audit_log.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/src/audit_log.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: dist/src/schema.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/schema.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.237

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.236

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.231

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.229

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.228

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.