@fedify/fedify
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/sig/ld.test.mjs | AI (source-diff): Long encoded strings are RSA signature test vectors and PEM public keys used in cryptographic unit tests for ActivityPub Linked Data Signatures — not obfuscated payloads. | ai | |
| source-diff | encoded-string-file:dist/federation/middleware.test.mjs | AI (source-diff): Long encoded strings are multibase-encoded public keys (Multikey/Ed25519) used in federation test fixtures — standard ActivityPub/W3C DID test data, not obfuscated payloads. | ai | |
| source-diff | encoded-string-file:dist/federation/middleware.test.js | AI (source-diff): Long encoded string is a publicKeyMultibase test fixture for ActivityPub multikey cryptography tests — expected in a federation middleware test suite. | ai | |
| source-diff | encoded-string-file:dist/sig/ld.test.js | AI (source-diff): Long encoded string is an RSA signatureValue test vector for LinkedData signature verification — expected cryptographic test fixture in an ActivityPub crypto library. | ai | |
| dependencies | unvetted-dep:byte-encodings | AI (dependencies): byte-encodings is a utility library for encoding/decoding. Legitimate dependency for an ActivityPub framework handling cryptographic operations. | ai | |
| dependencies | unvetted-dep:jsonld | AI (dependencies): jsonld is a standard JSON-LD processing library, appropriate and expected for an ActivityPub framework. Stable dependency for this package. | ai | |
| dependencies | unvetted-dep:json-canon | AI (dependencies): json-canon is a JSON canonicalization library used for cryptographic signing in ActivityPub. Legitimate dependency for this package. | ai | |
| dependencies | unvetted-dep:@logtape/logtape | AI (dependencies): @logtape/logtape is a structured logging library by the same author (Hong Minhee). Legitimate and expected dependency. | ai | |
| dependencies | unvetted-dep:uri-template-router | AI (dependencies): uri-template-router is a URI template routing library. Legitimate dependency for an HTTP-based ActivityPub framework. | ai | |
| dependencies | unvetted-dep:structured-field-values | AI (dependencies): structured-field-values parses HTTP Structured Fields (RFC 8941). Legitimate dependency for an ActivityPub/HTTP framework. | ai | |
| phantom-deps | phantom-dep:asn1js | AI (phantom-deps): asn1js is a legitimate ASN.1 parsing library used alongside pkijs for cryptographic operations; phantom-dep finding is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:@cfworker/json-schema | AI (phantom-deps): JSON schema validation library for Cloudflare Workers support; referenced in config files for bundling, not a malicious phantom dep. | ai | |
| phantom-deps | phantom-dep:pkijs | AI (phantom-deps): pkijs is a legitimate PKI/crypto library declared as a dependency for bundling/config purposes in this ActivityPub framework; not a malicious phantom dep. | ai | |
| phantom-deps | phantom-dep:@multiformats/base-x | AI (phantom-deps): Base encoding library appropriate for a federated protocol framework; phantom-dep finding is a false positive. | ai | |
| phantom-deps | phantom-dep:multicodec | AI (phantom-deps): multicodec is a legitimate encoding library appropriate for a federated protocol framework; referenced in config files for bundling. | ai | |
| phantom-deps | phantom-dep:jsonld | AI (phantom-deps): jsonld is a legitimate runtime dependency declared in package.json; the phantom-dep finding reflects it being referenced in config rather than directly imported in source, not a security issue. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 2.2.5 | 17 / 11 | |
| 2.2.4 | 17 / 11 | |
| 2.2.3 | 17 / 11 | |
| 2.2.2 | 17 / 11 | |
| 2.2.1 | 17 / 11 | |
| 2.1.14 | 17 / 11 | |
| 2.1.13 | 17 / 11 | |
| 2.1.12 | 17 / 11 | |
| 2.1.11 | 17 / 11 | |
| 2.1.10 | 17 / 11 | |
| 2.1.9 | 17 / 11 | |
| 2.1.8 | 17 / 11 | |
| 2.1.7 | 17 / 11 | |
| 2.1.6 | 17 / 11 | |
| 2.1.5 | 17 / 11 | |
| 2.1.4 | 17 / 11 | |
| 2.0.18 | 17 / 11 | |
| 2.0.17 | 17 / 11 | |
| 2.0.16 | 17 / 11 | |
| 2.0.15 | 17 / 11 | |
| 2.0.14 | 17 / 11 | |
| 2.0.13 | 17 / 11 | |
| 2.0.11 | 17 / 11 | |
| 2.0.9 | 17 / 11 | |
| 2.0.8 | 17 / 11 | |
| 1.10.10 | 20 / 13 | |
| 1.10.9 | 20 / 13 | |
| 1.10.6 | 20 / 13 | |
| 1.10.5 | 20 / 13 | |
| 1.9.11 | 18 / 13 | |
| 1.9.10 | 18 / 13 | |
| 1.9.7 | 18 / 13 | |
| 1.9.6 | 18 / 13 |
v2.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.8
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.7
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.6
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.4
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.