@inco/lightning-preview

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amaurymsilasdavismuskbustertoboutheoxdnode.cm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:ds-test	AI (dependencies): ds-test is the canonical Foundry/DappHub testing library; URL dep is standard for Solidity packages.	ai	2026/05/04
dependencies	unvetted-dep:forge-std	AI (dependencies): forge-std is the canonical Foundry standard library; URL dep is standard for Solidity packages.	ai	2026/05/04
phantom-deps	phantom-dep:@inco/lightning	AI (phantom-deps): Same-org Solidity dependency; referenced via remappings, not JS imports.	ai	2026/04/29
phantom-deps	phantom-dep:@openzeppelin/contracts	AI (phantom-deps): Solidity remapping dependency; not imported as JS module by design.	ai	2026/04/29
phantom-deps	phantom-dep:ds-test	AI (phantom-deps): Foundry/Solidity remapping dependency; not imported as JS module by design.	ai	2026/04/29
npm-metadata	url-dep:ds-test	AI (npm-metadata): Standard Foundry testing lib; GitHub URL dep is idiomatic for Solidity packages.	ai	2026/04/29
npm-metadata	url-dep:forge-std	AI (npm-metadata): Standard Foundry testing lib; GitHub URL dep is idiomatic for Solidity packages.	ai	2026/04/29
phantom-deps	phantom-dep:@openzeppelin/contracts-upgradeable	AI (phantom-deps): Solidity remapping dependency; not imported as JS module by design.	ai	2026/04/29
phantom-deps	phantom-dep:forge-std	AI (phantom-deps): Foundry/Solidity remapping dependency; not imported as JS module by design.	ai	2026/04/29

Versions (showing 4 of 4)

Version	Deps	Published
0.7.12	5 / 0	2026-02-18
0.7.11	5 / 0	2026-01-20
0.7.10	5 / 0	2026-01-09
0.7.9	5 / 0	2026-01-08

v0.7.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.