@helia/unixfs No license 11 versions

@helia/unixfs

npm Repository Homepage

11

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

npm-service-account-ipfsachingbrain

Keywords

IPFS

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): The @helia/unixfs package migrated from npm-service-account-ipfs to GitHub Actions CI/CD publishing with SLSA provenance. This is a documented, intentional transition for the ipfs/helia monorepo.	ai	2026/04/27
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by GitHub Actions publish with valid SLSA provenance attestation from the official ipfs/helia repo. Not indicative of account takeover.	ai	2026/04/27
dependencies	unvetted-dep:interface-blockstore	AI (dependencies): interface-blockstore is a core IPFS/Helia ecosystem interface package from the same org; unvetted status is a registry gap.	ai	2026/04/25
dependencies	unvetted-dep:ipfs-unixfs-exporter	AI (dependencies): ipfs-unixfs-exporter is a canonical IPFS package from the same organization; no risk signals.	ai	2026/04/25
dependencies	unvetted-dep:it-to-buffer	AI (dependencies): it-to-buffer is a well-known IPFS ecosystem utility package; unvetted status reflects registry gap, not actual risk.	ai	2026/04/25
dependencies	unvetted-dep:@multiformats/murmur3	AI (dependencies): @multiformats/murmur3 is from the official multiformats org, part of the IPFS ecosystem; unvetted status is a registry gap.	ai	2026/04/25
dependencies	unvetted-dep:ipfs-unixfs-importer	AI (dependencies): ipfs-unixfs-importer is a canonical IPFS package from the same organization; no risk signals.	ai	2026/04/25
dependencies	unvetted-dep:sparse-array	AI (dependencies): sparse-array is a stable, widely-used utility; no malicious signals present.	ai	2026/04/25

Versions (showing 11 of 11)

Version	Deps	Published
7.2.1	20 / 6	2026-04-13
7.2.0	20 / 6	2026-04-09
7.1.0	20 / 6	2026-03-18
7.0.4	21 / 6	2026-02-05
7.0.3	21 / 6	2026-02-04
7.0.2	21 / 6	2026-02-02
7.0.1	21 / 6	2026-01-15
7.0.0	21 / 6	2026-01-12
6.0.4	21 / 6	2025-12-12
6.0.3	21 / 6	2025-10-29
6.0.2	21 / 6	2025-10-27

v7.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.1.0

2 findings

HIGH Publisher changed: npm-service-account-ipfs → GitHub Actions (on 2026-03-18) provenance

This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.3

2 findings

HIGH Publisher changed: npm-service-account-ipfs → GitHub Actions (on 2026-02-04) provenance

This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.2

2 findings

HIGH Publisher changed: npm-service-account-ipfs → GitHub Actions (on 2026-02-02) provenance

This version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.