@lit-protocol/access-control-conditions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established publisher/org; provenance absence is consistent across all @lit-protocol packages. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): Declared dep used transitively/in config; common monorepo pattern for this package. | ai | |
| phantom-deps | phantom-dep:depd | AI (phantom-deps): Declared dep used transitively/in config; common monorepo pattern for this package. | ai | |
| phantom-deps | phantom-dep:util | AI (phantom-deps): Declared dep used transitively/in config; common monorepo pattern for this package. | ai | |
| phantom-deps | phantom-dep:bech32 | AI (phantom-deps): Declared dep used transitively/in config; common monorepo pattern for this package. | ai | |
| phantom-deps | phantom-dep:@lit-protocol/logger | AI (phantom-deps): Same-org sibling dep; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@ethersproject/contracts | AI (phantom-deps): Declared dep used transitively/in config; common monorepo pattern for this package. | ai | |
| phantom-deps | phantom-dep:@ethersproject/providers | AI (phantom-deps): Declared dep used transitively/in config; common monorepo pattern for this package. | ai | |
| phantom-deps | phantom-dep:@ethersproject/abstract-provider | AI (phantom-deps): Declared dep used transitively/in config; common monorepo pattern for this package. | ai | |
| phantom-deps | phantom-dep:pino | AI (phantom-deps): Declared in deps for transitive use; phantom-dep heuristic fires on config-only references, stable FP for this package. | ai | |
| phantom-deps | phantom-dep:siwe | AI (phantom-deps): Same pattern — referenced in config, not a direct import; stable FP. | ai | |
| phantom-deps | phantom-dep:viem | AI (phantom-deps): Config-only reference; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:typechain | AI (phantom-deps): Build tooling dep referenced in config; stable FP. | ai | |
| phantom-deps | phantom-dep:@t3-oss/env-core | AI (phantom-deps): Config-only reference; stable FP. | ai | |
| phantom-deps | phantom-dep:@openagenda/verror | AI (phantom-deps): Config-only reference; stable FP. | ai | |
| phantom-deps | phantom-dep:@typechain/ethers-v6 | AI (phantom-deps): Build tooling dep; stable FP. | ai | |
| phantom-deps | phantom-dep:zod-validation-error | AI (phantom-deps): Config-only reference; stable FP. | ai | |
| phantom-deps | phantom-dep:@lit-protocol/contracts | AI (phantom-deps): Same org scope; declared dep used transitively; stable FP. | ai |
v8.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.