@fuel-ts/script — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

fuel-ci

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:dist/index.global.js	AI (source-diff): Encoded string is a base64 WASM binary for fuel-ts math/instruction processing; stable pattern across this package family.	ai	2026/05/31
bogus-package	bogus-package	AI (bogus-package): Monorepo sub-package; missing metadata is expected pattern for fuel-ts packages.	ai	2026/05/25
typosquat	typosquat.levenshtein:bcrypt	AI (typosquat): Scoped @fuel-ts/* package from FuelLabs monorepo; levenshtein match to bcrypt is a false positive.	ai	2026/05/20
typosquat	typosquat.levenshtein:stripe	AI (typosquat): Scoped @fuel-ts/* package from FuelLabs monorepo; levenshtein match to stripe is a false positive.	ai	2026/05/20
phantom-deps	phantom-dep:@fuel-ts/transactions	AI (phantom-deps): Same-org sibling dep; may be used transitively or in type declarations without direct import.	ai	2026/05/20

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

2 findings

HIGH Long encoded string in modified file: dist/index.global.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.