@funkit/connect
Funkit Connect SDK elevates DeFi apps via web2 sign-ins and one-click checkouts.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/clients/fanatics.js | AI (source-diff): File is a standard bundled/minified React+vanilla-extract client theme, not obfuscated malware. | ai | |
| phantom-deps | phantom-dep:bech32 | AI (phantom-deps): bech32 is a common crypto utility; likely used transitively or in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:use-debounce | AI (phantom-deps): Stable false positive for this bundled UI package. | ai | |
| phantom-deps | phantom-dep:@solana/addresses | AI (phantom-deps): Wallet connector package; Solana dep likely peer/optional, stable FP. | ai | |
| phantom-deps | phantom-dep:react-remove-scroll | AI (phantom-deps): UI component dep; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:ua-parser-js | AI (phantom-deps): Bundled UI library; phantom-dep heuristic fires on bundled/peer deps consistently for this package. | ai | |
| phantom-deps | phantom-dep:@vanilla-extract/dynamic | AI (phantom-deps): Styling dep; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@aave-dao/aave-address-book | AI (phantom-deps): Newly added Aave dep; referenced in config, stable FP pattern for this package. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-dropdown-menu | AI (phantom-deps): UI component dep; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-tooltip | AI (phantom-deps): UI component dep; stable FP for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package published via GitHub Actions; lack of Sigstore attestation is common and not a disqualifier here. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): Type-only package; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@vanilla-extract/css | AI (phantom-deps): Referenced in config files (vanilla-extract build tooling pattern), not a runtime import. | ai |
Versions (showing 50 of 50)
| Version | Deps | Published |
|---|---|---|
| 9.18.0 | 29 / 38 | |
| 9.17.0 | 29 / 38 | |
| 9.16.0 | 29 / 38 | |
| 9.15.1 | 30 / 38 | |
| 9.15.0 | 30 / 38 | |
| 9.14.0 | 28 / 36 | |
| 9.13.0 | 28 / 36 | |
| 9.12.0 | 28 / 34 | |
| 9.11.0 | 28 / 34 | |
| 9.10.0 | 28 / 34 | |
| 9.9.0 | 28 / 34 | |
| 9.8.0 | 28 / 34 | |
| 9.7.1 | 27 / 34 | |
| 9.7.0 | 27 / 34 | |
| 9.6.1 | 27 / 34 | |
| 9.6.0 | 27 / 34 | |
| 9.5.1 | 27 / 34 | |
| 9.5.0 | 27 / 34 | |
| 9.4.3 | 26 / 34 | |
| 9.4.1 | 26 / 34 | |
| 9.3.2 | 26 / 34 | |
| 9.3.1 | 26 / 34 | |
| 9.3.0 | 25 / 34 | |
| 9.2.1 | 25 / 34 | |
| 9.2.0 | 25 / 34 | |
| 9.0.3 | 25 / 34 | |
| 9.0.2 | 25 / 34 | |
| 9.0.1 | 25 / 34 | |
| 9.0.0 | 25 / 34 | |
| 8.6.0 | 26 / 33 | |
| 8.5.0 | 26 / 34 | |
| 8.4.0 | 26 / 34 | |
| 8.3.0 | 26 / 34 | |
| 8.2.1 | 26 / 34 | |
| 8.2.0 | 26 / 34 | |
| 8.1.0 | 26 / 34 | |
| 8.0.0 | 26 / 34 | |
| 7.1.1 | 26 / 34 | |
| 7.1.0 | 26 / 34 | |
| 7.0.2 | 25 / 33 | |
| 7.0.0 | 26 / 33 | |
| 6.15.6 | 28 / 33 | |
| 6.15.4 | 28 / 33 | |
| 6.15.2 | 26 / 32 | |
| 6.14.22 | 27 / 32 | |
| 6.14.18 | 27 / 32 | |
| 6.14.17 | 28 / 32 | |
| 6.14.15 | 28 / 32 | |
| 6.14.14 | 28 / 30 | |
| 6.14.13 | 28 / 27 |
v9.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.15.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.15.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.