@gooddollar/web3sdk-v2
ethers and react hooks based on usedapp sdk for GoodDollar protocol
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established package with 451 versions; lack of provenance is consistent across all prior releases. | ai | |
| phantom-deps | phantom-dep:@walletconnect/client | AI (phantom-deps): Declared as peer/optional dep for wallet integration; not directly imported but legitimately referenced in config. | ai | |
| phantom-deps | phantom-dep:@ceramicnetwork/http-client | AI (phantom-deps): Ceramic deps are optional integration points; phantom-dep heuristic is a stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@ceramicnetwork/stream-tile | AI (phantom-deps): Same as above — optional Ceramic integration, stable FP. | ai | |
| phantom-deps | phantom-dep:@walletconnect/qrcode-modal | AI (phantom-deps): WalletConnect UI dep; referenced in config but not directly imported, stable FP. | ai | |
| phantom-deps | phantom-dep:@web3auth/torus-wallet-connector-plugin | AI (phantom-deps): Declared for peer/config use; stable false positive for this SDK package. | ai | |
| semgrep | semgrep:shady-links-tlds | AI (semgrep): goodcollective.xyz is the project's own product domain, not a C2 endpoint. | ai | |
| phantom-deps | phantom-dep:@solana/web3.js | AI (phantom-deps): Declared for peer/config use; stable false positive for this SDK package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard Buffer.from(base64) for S3 upload body; not obfuscation or exfiltration. | ai | |
| phantom-deps | phantom-dep:@web3auth/base | AI (phantom-deps): Declared for peer/config use; stable false positive for this SDK package. | ai | |
| phantom-deps | phantom-dep:@web3auth/core | AI (phantom-deps): Declared for peer/config use; stable false positive for this SDK package. | ai | |
| phantom-deps | phantom-dep:@web3auth/openlogin-adapter | AI (phantom-deps): Declared for peer/config use; stable false positive for this SDK package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.4.40 | 35 / 50 | |
| 0.4.37 | 35 / 50 | |
| 0.4.23 | 37 / 50 | |
| 0.4.21 | 40 / 50 | |
| 0.4.20 | 40 / 50 | |
| 0.4.14 | 40 / 50 | |
| 0.4.13 | 40 / 50 | |
| 0.4.11 | 40 / 50 |
v0.4.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.