← Home

@elizaos/core

npm

The `@elizaos/core` package provides a robust foundation for building AI agents with dynamic interaction capabilities. It enables agents to manage entities, memories, and context, and to interact with external systems, going beyond simple message response

5
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

shawticusshakkernerdwtfsayoodilitimecjft

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:fast-redact AI (phantom-deps): Newly added legitimate dependency; phantom-dep detection is a false positive for this build system and package structure. ai
phantom-deps phantom-dep:@langchain/core AI (phantom-deps): Newly added legitimate langchain dependency replacing 'langchain'; phantom-dep detection is a false positive for this build system. ai
phantom-deps phantom-dep:@langchain/textsplitters AI (phantom-deps): Newly added legitimate langchain dependency replacing 'langchain'; phantom-dep detection is a false positive for this build system. ai
typosquat typosquat.levenshtein:cors AI (typosquat): @elizaos/core is a scoped framework package with 490 days of history and 46.7k weekly downloads; 'core' is a generic word, not an impersonation of the 'cors' middleware. ai
phantom-deps phantom-dep:adze AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai
phantom-deps phantom-dep:glob AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai
phantom-deps phantom-dep:uuid AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai
phantom-deps phantom-dep:langchain AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai
phantom-deps phantom-dep:handlebars AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai
phantom-deps phantom-dep:pdfjs-dist AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai
phantom-deps phantom-dep:crypto-browserify AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai
phantom-deps phantom-dep:unique-names-generator AI (phantom-deps): Framework core packages commonly declare deps used conditionally or re-exported; not a security concern for this established package. ai

Versions (showing 5 of 5)

Version Deps Published
1.7.2 12 / 7
1.7.1 12 / 7
1.7.0 12 / 7
1.6.5 12 / 7
1.6.4 10 / 5

v1.7.2

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@elizaos/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.1

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@elizaos/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@elizaos/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.5

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@elizaos/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.4

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@elizaos/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.