@lit-protocol/auth-helpers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:siwe-recap | AI (dependencies): siwe-recap is a known SIWE extension library; pinned alpha version is consistent with prior Lit Protocol usage patterns. | ai | |
| dependencies | unvetted-dep:@lit-protocol/schemas | AI (dependencies): First-party @lit-protocol scoped dependency; same org, same version cadence. | ai | |
| dependencies | unvetted-dep:@lit-protocol/access-control-conditions-schemas | AI (dependencies): First-party @lit-protocol scoped dependency; same org, same version cadence. | ai | |
| phantom-deps | phantom-dep:@typechain/ethers-v6 | AI (phantom-deps): Config-only reference in a monorepo; not a direct import risk. | ai | |
| phantom-deps | phantom-dep:pino | AI (phantom-deps): Config-only reference in a monorepo; not a direct import risk. | ai | |
| phantom-deps | phantom-dep:@lit-protocol/access-control-conditions-schemas | AI (phantom-deps): Same org scope; monorepo phantom-dep pattern, stable false positive. | ai | |
| phantom-deps | phantom-dep:zod-validation-error | AI (phantom-deps): Config-only reference in a monorepo; not a direct import risk. | ai | |
| phantom-deps | phantom-dep:typechain | AI (phantom-deps): Config-only reference in a monorepo; not a direct import risk. | ai | |
| phantom-deps | phantom-dep:@t3-oss/env-core | AI (phantom-deps): Config-only reference in a monorepo; not a direct import risk. | ai | |
| phantom-deps | phantom-dep:@lit-protocol/accs-schemas | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): Monorepo build config reference, not a runtime import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@ethersproject/abstract-provider | AI (phantom-deps): Monorepo build config reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:util | AI (phantom-deps): Monorepo build config reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:bech32 | AI (phantom-deps): Monorepo build config reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lit-protocol/misc | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@openagenda/verror | AI (phantom-deps): Monorepo build config reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lit-protocol/logger | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lit-protocol/contracts | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ethersproject/contracts | AI (phantom-deps): Monorepo build config reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ethersproject/providers | AI (phantom-deps): Monorepo build config reference; stable false positive. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 8.2.1 | 22 / 0 | |
| 8.2.0 | 22 / 0 | |
| 8.1.1 | 22 / 0 | |
| 8.0.2 | 23 / 0 | |
| 8.0.1 | 23 / 0 | |
| 8.0.0 | 12 / 0 | |
| 7.4.0 | 20 / 0 |
v8.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.