@f2a/network No license 28 versions

@f2a/network

npm Repository Homepage

28

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

lucius_cao

Keywords

p2plibp2pagentopenclawnetworking

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): Standard child-process env pass-through pattern; not exfiltration.	ai	2026/05/19
semgrep	semgrep:etc-passwd-access	AI (semgrep): Fires on a test file string literal used to verify dangerous-path detection, not actual /etc/passwd access.	ai	2026/05/19
semgrep	semgrep:http-module-request	AI (semgrep): HTTP requests are in e2e test files targeting localhost; not production exfiltration.	ai	2026/05/19
semgrep	semgrep:base64-decode	AI (semgrep): Base64 in crypto test for key import/export; expected pattern for E2EE crypto library.	ai	2026/05/19
phantom-deps	phantom-dep:uint8arrays	AI (phantom-deps): Declared but used transitively via libp2p stack; stable false positive for this package.	ai	2026/05/19
phantom-deps	phantom-dep:@libp2p/crypto	AI (phantom-deps): Declared but used transitively; stable false positive for this package.	ai	2026/05/19

Versions (showing 28 of 28)

Version	Deps	Published
0.8.1	20 / 7	2026-04-24
0.8.0	20 / 7	2026-04-24
0.7.5	20 / 7	2026-04-21
0.7.4	20 / 7	2026-04-21
0.7.3	20 / 7	2026-04-20
0.7.2	20 / 7	2026-04-20
0.7.1	20 / 7	2026-04-20
0.7.0	20 / 7	2026-04-20
0.4.18	19 / 7	2026-04-13
0.4.15	19 / 7	2026-04-08
0.4.14	19 / 7	2026-04-06
0.4.13	19 / 7	2026-04-06
0.4.12	19 / 7	2026-03-31
0.4.11	18 / 6	2026-03-30
0.4.9	18 / 6	2026-03-30
0.4.8	18 / 6	2026-03-29
0.4.7	18 / 6	2026-03-27
0.4.5	18 / 6	2026-03-25
0.4.4	18 / 6	2026-03-25
0.4.3	18 / 6	2026-03-25
0.4.2	18 / 6	2026-03-25
0.4.1	18 / 6	2026-03-25
0.4.0	19 / 5	2026-03-25
0.3.2	13 / 5	2026-03-22
0.3.1	13 / 5	2026-03-19
0.2.0	13 / 4	2026-03-18
0.1.3	12 / 4	2026-03-09
0.1.2	12 / 4	2026-03-09

v0.8.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.2

3 findings

HIGH env-spread: packages/openclaw-adapter/src/node-manager.ts:174 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/LuciusCao/F2A/blob/c7e66d4d9ececeae01bd8441bd9d1356b6198f9a/packages/openclaw-adapter/src/node-manager.ts#L174 172 | this.process = spawn('node', [daemonPath], { 173 | cwd: this.config.nodePath, > 174 | env: { 175 | ...process.env, 176 | F2A_CONTROL_PORT: String(this.config.controlPort),

HIGH etc-passwd-access: packages/openclaw-adapter/src/task-guard.test.ts:257 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/LuciusCao/F2A/blob/c7e66d4d9ececeae01bd8441bd9d1356b6198f9a/packages/openclaw-adapter/src/task-guard.test.ts#L257 255 | it('应该检测系统路径文件操作', () => { 256 | const dangerousPaths = [ > 257 | 'read /etc/passwd', 258 | 'write to /sys/config', 259 | 'delete /proc/123',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.