@paypal/sdk-constants — Greenflagged

Utilities.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sdk-integrations-npmsiokedpaypal-sdksbraintreeseavenlyjfurmanravishekhar00gregjopamnicptelizabethmvnbierdemanremotevisionrygilbert_paypalrosman21wsbrunsonyanisimov_paypalavathaluringseguindustijonessunnypatelbywoodppeelenizsupremarimbrian-paypalcnallamgabrielg-paypalaugreer8

Keywords

template

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are PayPal-affiliated accounts added as part of team restructuring. No hostile takeover indicators present.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removals are consistent with PayPal team restructuring alongside the publisher transition to sdk-integrations-npm.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): PayPal consolidated SDK publishing under sdk-integrations-npm service account; this is a documented org-level transition, not a compromise. Stable for this package going forward.	ai	2026/04/23
dependencies	unvetted-dep:hi-base32	AI (dependencies): hi-base32 is a legitimate base32 encoding library; its use in a PayPal SDK constants package is reasonable and stable across versions.	ai	2026/04/23
phantom-deps	phantom-dep:cross-domain-utils	AI (phantom-deps): cross-domain-utils is a declared dependency in this PayPal SDK constants package; indirect usage via config/build is consistent with the package's role as a constants/utilities bundle.	ai	2026/04/23
phantom-deps	phantom-dep:zalgo-promise	AI (phantom-deps): zalgo-promise is a declared dependency in this PayPal SDK constants package; indirect usage via config/build is consistent with the package's role as a constants/utilities bundle.	ai	2026/04/23
phantom-deps	phantom-dep:hi-base32	AI (phantom-deps): hi-base32 is declared as a runtime dependency and likely used in bundled output or config; not a security concern for this package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance absence is common (~88% of npm packages lack it); no other indicators of supply chain compromise for this PayPal-org package.	ai	2026/04/21

Versions (showing 51 of 130)

View all versions

Version	Deps	Published
1.0.158	1 / 7	2026-05-18
1.0.157	1 / 7	2025-08-22
1.0.156	1 / 7	2025-08-08
1.0.155	1 / 7	2025-07-09
1.0.154	1 / 7	2025-06-03
1.0.153	1 / 7	2025-02-13
1.0.152	1 / 7	2025-01-29
1.0.151	1 / 7	2025-01-09
1.0.150	1 / 7	2024-10-10
1.0.149	1 / 7	2024-07-10
1.0.148	1 / 7	2024-04-17
1.0.147	1 / 7	2024-04-17
1.0.146	1 / 7	2024-04-08
1.0.145	1 / 7	2024-03-20
1.0.144	1 / 7	2024-03-15
1.0.143	1 / 7	2024-03-12
1.0.142	1 / 7	2024-02-15
1.0.141	1 / 7	2024-02-13
1.0.140	1 / 7	2024-02-12
1.0.139	1 / 7	2024-02-05
1.0.138	1 / 7	2024-02-02
1.0.137	1 / 7	2024-01-29
1.0.136	1 / 7	2024-01-08
1.0.135	1 / 7	2023-12-21
1.0.134	1 / 7	2023-12-04
1.0.133	1 / 7	2023-10-17
1.0.132	1 / 7	2023-10-11
1.0.131	1 / 7	2023-08-08
1.0.130	1 / 7	2023-04-04
1.0.129	1 / 7	2023-02-02
1.0.128	1 / 7	2022-11-29
1.0.127	1 / 5	2022-10-28
1.0.126	1 / 5	2022-10-26
1.0.125	1 / 5	2022-10-26
1.0.124	1 / 5	2022-08-31
1.0.123	1 / 5	2022-08-25
1.0.122	1 / 2	2022-05-16
1.0.121	1 / 2	2022-05-03
1.0.120	1 / 2	2022-05-03
1.0.119	1 / 2	2022-04-15
1.0.118	1 / 2	2022-03-29
1.0.117	1 / 2	2022-03-09
1.0.116	3 / 2	2022-01-19
1.0.115	3 / 2	2022-01-07
1.0.114	3 / 2	2022-01-05
1.0.113	3 / 3	2021-12-07
1.0.111	3 / 3	2021-11-19
1.0.110	3 / 3	2021-09-29
1.0.109	3 / 3	2021-09-07
1.0.108	3 / 3	2021-09-02
1.0.107	3 / 3	2021-06-21