@flowx-finance/sdk
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is used to convert Pyth price feed IDs into byte arrays for Sui transaction arguments — standard DeFi/oracle integration pattern, not a malicious payload. | ai | |
| phantom-deps | phantom-dep:d3 | AI (phantom-deps): d3 is declared as a runtime dependency; may be used in specific code paths not caught by static import analysis. Stable false positive for this package. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 16 / 0 | |
| 2.0.3 | 16 / 0 | |
| 2.0.2 | 16 / 0 | |
| 2.0.1 | 16 / 0 | |
| 2.0.0 | 16 / 0 | |
| 1.15.0 | 16 / 0 | |
| 1.14.0 | 16 / 0 | |
| 1.13.8 | 16 / 0 | |
| 1.13.7 | 16 / 0 | |
| 1.13.6 | 16 / 0 | |
| 1.13.5 | 16 / 0 | |
| 1.13.4 | 16 / 0 | |
| 1.13.3 | 16 / 0 | |
| 1.13.2 | 16 / 0 | |
| 1.13.0 | 16 / 0 | |
| 1.12.0 | 13 / 0 | |
| 1.11.3 | 13 / 0 | |
| 1.11.2 | 13 / 0 | |
| 1.11.1 | 13 / 0 | |
| 1.11.0 | 13 / 0 | |
| 1.10.25 | 13 / 0 | |
| 1.10.24 | 13 / 0 | |
| 1.10.23 | 13 / 0 | |
| 1.10.22 | 13 / 0 | |
| 1.10.21 | 13 / 0 | |
| 1.10.20 | 13 / 0 | |
| 1.10.19 | 13 / 0 | |
| 1.10.18 | 13 / 0 | |
| 1.10.17 | 13 / 0 | |
| 1.10.16 | 13 / 0 |
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.