@openfort/openfort-node
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:preinstall | AI (install-scripts): npx only-allow pnpm is a standard package manager enforcement pattern; benign for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation confirms CI/CD publish; dormancy explained by development cadence, not takeover. | ai | |
| provenance | missing-githead | AI (provenance): Package now publishes via GitHub Actions with SLSA provenance; gitHead field absence is expected in this CI workflow. | ai | |
| source-diff | obfuscated-file:dist/index.d.mts | AI (source-diff): Generated TypeScript declaration file with long union type lines; sample confirms readable, non-malicious content. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate migration to GitHub Actions CI/CD with SLSA attestation; consistent with org-level automation. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): openfort_developers matches the package org; consistent with legitimate team account addition. | ai | |
| dependencies | unvetted-peer-dep:@solana/kora | AI (dependencies): Optional peer dep for Solana integration; consumer controls version. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): Framework-scoped type declarations; stable pattern for TypeScript packages. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Framework-scoped type declarations; stable pattern for TypeScript packages. | ai | |
| dependencies | unvetted-dep:@openfort/shield-js | AI (dependencies): Same-org dependency (@openfort); consistent with the package's established ecosystem role. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 0.10.4 | 6 / 21 | |
| 0.10.3 | 7 / 22 | |
| 0.10.2 | 7 / 21 | |
| 0.10.1 | 7 / 21 | |
| 0.10.0 | 7 / 21 | |
| 0.9.3 | 10 / 12 | |
| 0.9.2 | 10 / 12 | |
| 0.9.1 | 10 / 12 | |
| 0.9.0 | 10 / 12 | |
| 0.8.4 | 10 / 12 | |
| 0.8.3 | 10 / 12 | |
| 0.8.2 | 10 / 12 | |
| 0.8.1 | 10 / 12 | |
| 0.8.0 | 10 / 12 | |
| 0.7.7 | 9 / 12 | |
| 0.7.6 | 9 / 12 | |
| 0.7.5 | 9 / 12 | |
| 0.7.4 | 9 / 12 | |
| 0.7.3 | 9 / 12 | |
| 0.7.2 | 9 / 12 | |
| 0.7.1 | 9 / 12 | |
| 0.7.0 | 9 / 12 | |
| 0.6.74 | 5 / 6 | |
| 0.6.73 | 7 / 4 | |
| 0.6.72 | 7 / 2 |
v0.10.4
2 findingsScript: npx only-allow pnpm
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.74
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.73
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.72
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.