← Home

@lodestar/state-transition

npm Repository Homepage

Beacon Chain state transition function and utils

9
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

wemeetagainmatthewkeiljoshdougallkalambet

Keywords

ethereumeth-consensusbeaconblockchain

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:bigint-buffer AI (dependencies): bigint-buffer is a legitimate npm package for BigInt/Buffer interop; its use in an Ethereum consensus client handling cryptographic big integers is expected and appropriate. ai
semgrep semgrep:hex-decode AI (semgrep): The hex-decoded value is G2_POINT_AT_INFINITY, a standard BLS12-381 cryptographic constant used in Ethereum consensus. Not a malicious payload. ai
phantom-deps phantom-dep:@chainsafe/persistent-ts AI (phantom-deps): Minor packaging issue — declared but not directly imported. Not a security concern for this established package. ai

Versions (showing 9 of 9)

Version Deps Published
1.43.0 12 / 1
1.42.0 12 / 1
1.41.1 12 / 1
1.41.0 12 / 1
1.40.0 12 / 1
1.38.0 12 / 0
1.37.0 12 / 0
1.36.0 12 / 0
1.32.0 12 / 0

v1.43.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.42.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.41.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.41.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.40.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.38.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.37.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.36.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.32.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.