← Home

@helia/interface

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

npm-service-account-ipfsachingbrain

Keywords

IPFS

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Publisher changed from npm-service-account-ipfs to GitHub Actions, consistent with migration to CI/CD provenance-backed publishing for the ipfs/helia org. SLSA attestation confirms legitimate automated publishing. ai
publish-pattern dormant-publish AI (publish-pattern): Dormancy explained by publishing workflow migration; SLSA provenance attestation and no material code changes confirm no takeover. Established package in the IPFS ecosystem. ai
dependencies unvetted-dep:interface-blockstore AI (dependencies): interface-blockstore is a well-known IPFS ecosystem package; its use in @helia/interface is expected and legitimate. ai

Versions (showing 8 of 8)

Version Deps Published
6.2.1 8 / 1
6.2.0 8 / 1
6.1.1 8 / 1
6.1.0 8 / 1
6.0.3 8 / 1
6.0.2 8 / 1
6.0.1 8 / 1
6.0.0 8 / 1

v6.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.1

2 findings
HIGH Publisher changed: npm-service-account-ipfs → GitHub Actions (on 2026-02-05) provenance

This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.0

2 findings
HIGH Publisher changed: npm-service-account-ipfs → GitHub Actions (on 2026-02-04) provenance

This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.3

2 findings
HIGH Publisher changed: npm-service-account-ipfs → GitHub Actions (on 2026-02-02) provenance

This version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.