← Home

@lodestar/beacon-node

npm Repository Homepage

A Typescript implementation of the beacon chain

14
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

wemeetagainmatthewkeiljoshdougallkalambet

Keywords

ethereumeth-consensusbeaconblockchain

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:c-kzg AI (dependencies): c-kzg is the standard KZG cryptography library for Ethereum EIP-4844; expected dependency for a beacon node. ai
bogus-package bogus-package AI (bogus-package): ChainSafe Lodestar is a major Ethereum consensus client monorepo. Mass-production signal reflects legitimate monorepo maintenance; README links are documentation, not a phishing farm. ai
phantom-deps phantom-dep:it-pipe AI (phantom-deps): it-pipe is declared and used indirectly through config/build system; legitimate pattern in monorepos. ai
dependencies unvetted-dep:fastify AI (dependencies): fastify is a well-known, legitimate Node.js web framework. Appropriate dependency for a beacon node API server. ai
dependencies unvetted-dep:systeminformation AI (dependencies): systeminformation is a well-known system info library. Appropriate for a beacon node monitoring/metrics use case. ai
semgrep semgrep:hex-decode AI (semgrep): Hex literals in this package are protocol constants (e.g. gossip message-id domain bytes per Ethereum consensus spec), not obfuscated payloads. Stable false positive for this package. ai
phantom-deps phantom-dep:@chainsafe/pubkey-index-map AI (phantom-deps): Legitimate dependency in a large monorepo package; phantom detection is a false positive for this well-established package. ai
phantom-deps phantom-dep:datastore-level AI (phantom-deps): Used via package.json imports map for Bun compatibility conditional; not a direct import but legitimately declared. ai
phantom-deps phantom-dep:@chainsafe/prometheus-gc-stats AI (phantom-deps): Used via package.json imports map for Bun compatibility conditional; not a direct import but legitimately declared. ai
phantom-deps phantom-dep:deepmerge AI (phantom-deps): Legitimate dependency in a large monorepo package; phantom detection is a false positive for this well-established package. ai
phantom-deps phantom-dep:uint8arraylist AI (phantom-deps): Legitimate dependency in a large monorepo package; phantom detection is a false positive for this well-established package. ai

Versions (showing 14 of 14)

Version Deps Published
1.43.0 55 / 15
1.42.0 55 / 14
1.41.1 55 / 14
1.41.0 55 / 14
1.40.0 56 / 15
1.39.1 56 / 15
1.39.0 56 / 15
1.38.0 57 / 7
1.37.0 57 / 7
1.34.0 56 / 7
1.33.0 56 / 8
1.32.0 56 / 8
1.31.0 56 / 8
1.30.0 56 / 8

v1.43.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.42.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.41.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.41.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.40.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.39.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.39.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.38.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.37.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.34.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.33.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.32.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.31.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.30.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.