@permaweb/libs
Documentation for this SDK can be found at the [top level](https://github.com/permaweb/permaweb-libs) of the repository.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:esbuild-plugin-polyfill-node | AI (phantom-deps): Build-time plugin referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:crypto-browserify | AI (phantom-deps): Browser polyfill referenced in esbuild config; stable for this package. | ai | |
| phantom-deps | phantom-dep:stream-browserify | AI (phantom-deps): Browser polyfill referenced in esbuild config; stable for this package. | ai | |
| phantom-deps | phantom-dep:@ardrive/turbo-sdk | AI (phantom-deps): Build-time/config reference; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:esbuild-plugin-alias | AI (phantom-deps): Build-time plugin referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:web-streams-polyfill | AI (phantom-deps): Browser polyfill referenced in esbuild config; stable for this package. | ai | |
| phantom-deps | phantom-dep:arweave | AI (phantom-deps): Build-time polyfill/config reference pattern; stable for this dual-build package. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): Build-time polyfill/config reference pattern; stable for this dual-build package. | ai | |
| phantom-deps | phantom-dep:tsc-alias | AI (phantom-deps): Build-time tool referenced in config; stable for this package. | ai | |
| phantom-deps | phantom-dep:@permaweb/arx | AI (phantom-deps): Same-org dep referenced in build config; stable false positive. | ai | |
| phantom-deps | phantom-dep:os-browserify | AI (phantom-deps): Browser polyfill referenced in esbuild config; stable for this package. | ai | |
| source-diff | encoded-string-file:dist/index.cjs | AI (source-diff): Long strings are esbuild minified output (polyfills/bundled deps), not obfuscated payloads. | ai | |
| source-diff | encoded-string-file:dist/index.esm.js | AI (source-diff): Long strings are esbuild minified output (polyfills/bundled deps), not obfuscated payloads. | ai | |
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Long strings are esbuild minified output (polyfills/bundled deps), not obfuscated payloads. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Sparse README/no keywords is cosmetic; package is a legitimate permaweb SDK with 81 versions and a real GitHub repo. | ai | |
| phantom-deps | phantom-dep:@dha-team/arbundles | AI (phantom-deps): Declared dep used indirectly via bundled output; phantom-dep false positive for this package. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 0.0.93 | 2 / 23 | |
| 0.0.91 | 2 / 23 | |
| 0.0.90 | 2 / 23 | |
| 0.0.88 | 2 / 23 | |
| 0.0.87 | 2 / 23 | |
| 0.0.86 | 1 / 23 | |
| 0.0.85 | 1 / 23 | |
| 0.0.84 | 1 / 23 | |
| 0.0.82 | 1 / 23 | |
| 0.0.81 | 1 / 23 | |
| 0.0.80 | 1 / 23 | |
| 0.0.79 | 1 / 23 | |
| 0.0.78 | 1 / 23 | |
| 0.0.77 | 1 / 23 | |
| 0.0.76 | 1 / 23 | |
| 0.0.75 | 1 / 23 | |
| 0.0.73 | 1 / 23 | |
| 0.0.72 | 1 / 23 | |
| 0.0.71 | 1 / 23 | |
| 0.0.70 | 1 / 23 | |
| 0.0.69 | 1 / 23 | |
| 0.0.68 | 1 / 23 | |
| 0.0.38 | 0 / 17 | |
| 0.0.37 | 0 / 17 | |
| 0.0.36 | 12 / 13 | |
| 0.0.35 | 12 / 13 |
v0.0.93
4 findingsModified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 29 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.91
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.90
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.88
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.87
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.86
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.85
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.84
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.82
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.81
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.80
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.79
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.78
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.77
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.76
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.75
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.73
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.72
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.71
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.70
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.69
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.68
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.