@metamask/[email protected] rejected Risk: 43 No license 2025-06-10

@metamask/streams @0.2.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

—

License

Yes

Install Scripts

Dependencies

Dev Dependencies

51.9 KB

Package Size

2025-06-10

Published

Maintainers

danfinlaykumavismcmirerekmarksmetamaskbotgudahttnicholasellulsethkfmannaugtur

Keywords

MetaMaskobject capabilitiesocap

Dependencies (6)

Package	Constraint	Registry Status
@endo/stream	^1.2.10	auto_approved
@metamask/utils	^11.4.0	auto_approved
@endo/promise-kit	^1.1.10	auto_approved
@metamask/superstruct	^3.2.1	auto_approved
@metamask/kernel-utils	^0.1.0	auto_approved
@metamask/kernel-errors	^0.1.0	auto_approved

Dev Dependencies (34)

Package	Constraint	Registry Status
ses	^1.12.0	auto_approved
vite	^6.3.5	auto_approved
cookie	^1.0.2	auto_approved
eslint	^9.23.0	auto_approved
rimraf	^6.0.1	auto_approved
vitest	^3.1.3	auto_approved
typedoc	^0.28.1	auto_approved
depcheck	^1.4.7	No greenflagged match
prettier	^3.5.3	auto_approved
@ocap/cli	^0.0.0	Not imported
playwright	^1.51.1	auto_approved
typescript	~5.8.2	auto_approved
@types/chrome	^0.0.313	No greenflagged match
@ts-bridge/cli	^0.6.3	Not imported
@vitest/browser	^3.1.3	auto_approved
eslint-plugin-n	^17.17.0	auto_approved
@ocap/test-utils	^0.0.0	Not imported
@ts-bridge/shims	^0.1.1	Not imported
typescript-eslint	^8.29.0	auto_approved
eslint-plugin-jsdoc	^50.6.9	auto_approved
@arethetypeswrong/cli	^0.17.4	No greenflagged match
@vitest/eslint-plugin	^1.1.44	auto_approved
eslint-plugin-promise	^7.2.1	auto_approved
eslint-config-prettier	^10.1.1	auto_approved
eslint-plugin-import-x	^4.10.0	auto_approved
eslint-plugin-prettier	^5.2.6	auto_approved
@metamask/eslint-config	^14.0.0	auto_approved
@metamask/auto-changelog	^5.0.1	auto_approved
@typescript-eslint/utils	^8.29.0	auto_approved
@typescript-eslint/parser	^8.29.0	auto_approved
@metamask/eslint-config-nodejs	^14.0.0	No greenflagged match
@typescript-eslint/eslint-plugin	^8.29.0	auto_approved
eslint-import-resolver-typescript	^4.3.1	auto_approved
@metamask/eslint-config-typescript	^14.0.0	auto_approved

Transitive Dependency Tree

31 transitive deps max depth 8

├─ @endo/promise-kit ^1.1.10 → 1.2.1

├─ @endo/stream ^1.2.10 → 1.3.1

├─ @metamask/kernel-errors ^0.1.0 → 0.1.0

├─ @metamask/kernel-utils ^0.1.0 → 0.1.0

├─ @metamask/superstruct ^3.2.1 → 3.2.1

├─ @metamask/utils ^11.4.0 → 11.11.0

├─ @endo/captp ^4.4.5 → 4.5.0

├─ @endo/eventual-send ^1.5.0 → 1.5.0

├─ @endo/harden ^1.1.0

├─ @endo/harden ^1.1.0 → 1.1.0

├─ @endo/promise-kit ^1.2.1 → 1.2.1

├─ @endo/promise-kit ^1.1.10 → 1.2.1

├─ @ethereumjs/tx ^4.2.0

├─ @metamask/superstruct ^3.2.1 → 3.2.1

├─ @metamask/superstruct ^3.1.0 → 3.2.1

├─ @metamask/utils ^11.4.0 → 11.11.0

├─ @noble/hashes ^1.3.1 → 1.8.0

├─ @scure/base ^1.1.3 → 1.2.6

├─ @types/debug ^4.1.7 → 4.1.13

├─ @types/lodash ^4.17.20 → 4.17.24

├─ debug ^4.3.4 → 4.4.3

├─ lodash ^4.17.21 → 4.18.1

├─ pony-cause ^2.1.10 → 2.1.11

├─ semver ^7.5.4 → 7.8.2

├─ ses ^2.0.0 → 2.1.0

├─ setimmediate ^1.0.5 → 1.0.5

├─ uuid ^9.0.1 → 9.0.1

├─ @endo/cache-map ^1.1.0 → 1.1.0

├─ @endo/env-options ^1.1.11 → 1.1.11

├─ @endo/errors ^1.3.0 → 1.3.1

├─ @endo/eventual-send ^1.4.0 → 1.5.0

├─ @endo/harden ^1.1.0 → 1.1.0

├─ @endo/harden ^1.1.0

├─ @endo/immutable-arraybuffer ^1.1.2 → 1.1.2

├─ @endo/marshal ^1.9.0 → 1.10.0

├─ @endo/nat ^5.2.0 → 5.2.0

├─ @endo/pass-style ^1.7.0 → 1.8.0

├─ @endo/promise-kit ^1.2.0 → 1.2.1

├─ @ethereumjs/tx ^4.2.0

├─ @metamask/superstruct ^3.1.0 → 3.2.1

├─ @noble/hashes ^1.3.1 → 1.8.0

├─ @scure/base ^1.1.3 → 1.2.6

├─ @types/debug ^4.1.7 → 4.1.13

├─ @types/lodash ^4.17.20 → 4.17.24

├─ @types/ms *

├─ debug ^4.3.4 → 4.4.3

├─ lodash ^4.17.21 → 4.18.1

├─ ms ^2.1.3 → 2.1.3

├─ pony-cause ^2.1.10 → 2.1.11

├─ semver ^7.5.4 → 7.8.2

├─ uuid ^9.0.1 → 9.0.1

├─ @endo/common ^1.4.0 → 1.4.0

├─ @endo/env-options ^1.1.11 → 1.1.11

├─ @endo/errors ^1.3.1 → 1.3.1

├─ @endo/eventual-send ^1.5.0 → 1.5.0

├─ @endo/harden ^1.1.0 → 1.1.0

├─ @endo/harden ^1.1.0

├─ @endo/nat ^5.2.0 → 5.2.0

├─ @endo/pass-style ^1.8.0 → 1.8.0

├─ @endo/promise-kit ^1.2.1 → 1.2.1

├─ @types/ms *

├─ ms ^2.1.3 → 2.1.3

├─ ses ^2.0.0 → 2.1.0

├─ @endo/cache-map ^1.1.0 → 1.1.0

├─ @endo/common ^1.4.0 → 1.4.0

├─ @endo/env-options ^1.1.11 → 1.1.11

├─ @endo/errors ^1.3.1 → 1.3.1

├─ @endo/eventual-send ^1.5.0 → 1.5.0

├─ @endo/harden ^1.1.0 → 1.1.0

├─ @endo/harden ^1.1.0

├─ @endo/immutable-arraybuffer ^1.1.2 → 1.1.2

├─ @endo/promise-kit ^1.2.1 → 1.2.1

├─ ses ^2.0.0 → 2.1.0

├─ @endo/cache-map ^1.1.0 → 1.1.0

├─ @endo/env-options ^1.1.11 → 1.1.11

├─ @endo/errors ^1.3.1 → 1.3.1

├─ @endo/eventual-send ^1.5.0 → 1.5.0

├─ @endo/harden ^1.1.0

├─ @endo/harden ^1.1.0 → 1.1.0

├─ @endo/immutable-arraybuffer ^1.1.2 → 1.1.2

├─ @endo/promise-kit ^1.2.1 → 1.2.1

├─ ses ^2.0.0 → 2.1.0

├─ @endo/cache-map ^1.1.0 → 1.1.0

├─ @endo/env-options ^1.1.11 → 1.1.11

├─ @endo/harden ^1.1.0

├─ @endo/harden ^1.1.0 → 1.1.0

├─ @endo/immutable-arraybuffer ^1.1.2 → 1.1.2

├─ ses ^2.0.0 → 2.1.0

├─ @endo/cache-map ^1.1.0 → 1.1.0

├─ @endo/env-options ^1.1.11 → 1.1.11

├─ @endo/immutable-arraybuffer ^1.1.2 → 1.1.2

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`install-script:postinstall`	install-scripts	reject	AI	AI (install-scripts): Postinstall downloads Chromium browser binary via Playwright — inappropriate for a published runtime library; should be removed from published package.

SAST Findings (1)

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 43. Findings: 1 critical (+40), 1 low (+3), 1 info (+0).

Commit: 38fe219f57a0 Browse source

Published to npm: 2025-06-10