@inco/lightning — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amaurymsilasdavismuskbustertoboutheoxdnode.cm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:automata-dcap-attestation	AI (phantom-deps): Foundry remapping; not a JS import, phantom-dep is a false positive for Solidity contract packages.	ai	2026/05/10
phantom-deps	phantom-dep:automata-on-chain-pccs	AI (phantom-deps): Foundry remapping; not a JS import, phantom-dep is a false positive for Solidity contract packages.	ai	2026/05/10
npm-metadata	url-dep:automata-on-chain-pccs	AI (npm-metadata): Pinned to tagged release v1.0.0; standard Foundry dependency pattern for this package.	ai	2026/05/10
npm-metadata	url-dep:solady	AI (npm-metadata): Solidity contract library; URL deps pinned to tagged commits are standard for Foundry-based packages.	ai	2026/05/10
phantom-deps	phantom-dep:solady	AI (phantom-deps): Foundry remapping; not a JS import, phantom-dep is a false positive for Solidity contract packages.	ai	2026/05/10
dependencies	unvetted-dep:automata-dcap-attestation	AI (dependencies): Automata Network's DCAP attestation; pinned to evm-v1.0.0 tag, legitimate TEE attestation library.	ai	2026/05/10
dependencies	unvetted-dep:automata-on-chain-pccs	AI (dependencies): Automata Network's on-chain PCCS; pinned to v1.0.0 tag, legitimate TEE attestation library.	ai	2026/05/10
npm-metadata	url-dep:automata-dcap-attestation	AI (npm-metadata): Pinned to tagged release evm-v1.0.0; standard Foundry dependency pattern for this package.	ai	2026/05/10
npm-metadata	no-description	AI (npm-metadata): Monorepo package; description gap is stable across versions.	ai	2026/05/10
provenance	no-provenance	AI (provenance): Provenance adoption is sparse in ecosystem; not a disqualifier for this package.	ai	2026/05/10
dependencies	unvetted-dep:@safe-global/safe-smart-account	AI (dependencies): safe-smart-account is the canonical Gnosis Safe contract repo; pinned to v1.5.0 tag.	ai	2026/05/04
dependencies	unvetted-dep:ds-test	AI (dependencies): ds-test is the canonical DappHub Foundry testing library; URL dep is standard Solidity tooling practice.	ai	2026/05/04
dependencies	unvetted-dep:forge-std	AI (dependencies): forge-std is the official Foundry standard library; URL dep is standard Solidity tooling practice.	ai	2026/05/04
dependencies	unvetted-dep:@inco/shared	AI (dependencies): Same org scope (@inco); internal monorepo dependency.	ai	2026/05/04
npm-metadata	url-dep:ds-test	AI (npm-metadata): Standard Foundry/Solidity pattern; ds-test is always pulled from GitHub in this ecosystem.	ai	2026/04/29
phantom-deps	phantom-dep:tsx	AI (phantom-deps): tsx is a runtime tool used via bun scripts, not directly imported; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@openzeppelin/contracts-upgradeable	AI (phantom-deps): Solidity dep referenced in Foundry config, not JS imports; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@safe-global/safe-smart-account	AI (phantom-deps): Solidity dep referenced in Foundry config, not JS imports; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@openzeppelin/contracts	AI (phantom-deps): Solidity dep referenced in Foundry config, not JS imports; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@inco/shared	AI (phantom-deps): Same-org Solidity dep; phantom-dep heuristic doesn't apply to Solidity imports.	ai	2026/04/29
phantom-deps	phantom-dep:forge-std	AI (phantom-deps): Solidity/Foundry dep referenced in config, not JS imports; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:ds-test	AI (phantom-deps): Solidity/Foundry dep referenced in config, not JS imports; stable false positive for this package.	ai	2026/04/29
npm-metadata	url-dep:@safe-global/safe-smart-account	AI (npm-metadata): Pinned to a specific tagged release on GitHub; standard for Solidity contract dependencies.	ai	2026/04/29
npm-metadata	url-dep:forge-std	AI (npm-metadata): Standard Foundry/Solidity pattern; forge-std is always pulled from GitHub in this ecosystem.	ai	2026/04/29

Versions (showing 26 of 26)

Version	Deps	Published
0.7.12	7 / 2	2026-02-18
0.7.11	7 / 2	2026-01-20
0.7.10	7 / 2	2026-01-09
0.7.9	7 / 2	2026-01-08
0.7.8	7 / 2	2026-01-08
0.7.6	7 / 2	2026-01-05
0.7.5	7 / 2	2025-12-15
0.7.4	7 / 2	2025-12-12
0.7.3	7 / 2	2025-12-12
0.7.2	7 / 2	2025-12-10
0.7.1	7 / 2	2025-12-05
0.7.0	7 / 2	2025-12-03
0.6.9	7 / 2	2025-11-07
0.5.0	8 / 1	2025-09-25
0.4.0	10 / 2	2025-09-12
0.3.1	10 / 2	2025-08-22
0.2.15	6 / 2	2025-06-28
0.2.13	6 / 2	2025-06-25
0.2.12	6 / 2	2025-06-25
0.2.9	6 / 2	2025-06-17
0.2.7	6 / 2	2025-06-17
0.2.6	6 / 2	2025-06-17
0.2.5	6 / 2	2025-06-17
0.2.3	6 / 2	2025-06-17
0.1.32	6 / 2	2025-05-14
0.1.31	6 / 2	2025-05-14