← Home

@helia/routers

npm Repository Homepage
11
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

npm-service-account-ipfsachingbrain

Keywords

IPFS

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): IPFS/Helia migrated from npm-service-account-ipfs to GitHub Actions OIDC publishing; SLSA provenance attestation confirms the release originates from the official ipfs/helia repo. ai
publish-pattern dormant-publish AI (publish-pattern): Dormancy followed by CI/CD migration is expected for this monorepo package; SLSA provenance and no material code changes confirm legitimacy. ai
dependencies unvetted-dep:ipns AI (dependencies): ipns is a core IPFS ecosystem package, expected dependency for Helia routing; not a suspicious third-party package. ai
dependencies unvetted-dep:@helia/interface AI (dependencies): @helia/interface is a first-party Helia package from the same ipfs/helia monorepo; stable expected dependency. ai
dependencies unvetted-dep:@multiformats/uri-to-multiaddr AI (dependencies): @multiformats/uri-to-multiaddr is a core multiformats/IPFS ecosystem package; expected dependency for routing. ai
dependencies unvetted-dep:@helia/delegated-routing-v1-http-api-client AI (dependencies): First-party Helia package from the same ipfs/helia monorepo; expected dependency for delegated routing functionality. ai

Versions (showing 11 of 11)

Version Deps Published
5.1.1 10 / 6
5.1.0 10 / 6
5.0.3 10 / 6
5.0.2 10 / 6
5.0.1 10 / 6
5.0.0 10 / 6
4.0.6 11 / 5
4.0.5 11 / 5
4.0.4 11 / 5
4.0.3 10 / 5
4.0.2 10 / 5

v5.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.1

2 findings
HIGH Publisher changed: npm-service-account-ipfs → GitHub Actions (on 2026-02-02) provenance

This version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.