@polkadot/api-format — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jacogr

Keywords

PolkadotJsonRPC

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @polkadot/primitives is a first-party same-org dependency in the polkadot-js monorepo; adding intra-org deps is a normal refactoring pattern and not a supply-chain risk for this package.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/primitives-json	AI (dependencies): Same-org @polkadot/ scoped dependency from the same trusted publisher (jacogr); consistent with the package's ecosystem and not a meaningful risk vector.	ai	2026/04/24
publish-pattern	dormant-publish	AI (publish-pattern): Legacy package from highly trusted polkadot-js maintainer (jacogr, 1259/0 record). Long dormancy is expected for older stable utility packages in this ecosystem; no corroborating compromise signals.	ai	2026/04/24
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): @babel/runtime is a framework-scoped Babel 7 runtime helper package; its phantom-dep status is expected for packages using Babel transforms. Stable for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/api-jsonrpc	AI (phantom-deps): Same-org @polkadot scoped package; phantom-dep finding is expected for intra-monorepo dependencies that may be used transitively.	ai	2026/04/24
phantom-deps	phantom-dep:babel-runtime	AI (phantom-deps): babel-runtime is a standard Babel transpilation helper used at runtime via transpiled output, not direct imports. This is expected for Babel 6-era packages.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/jsonrpc	AI (phantom-deps): Phantom dep is a same-org sibling package from the same trusted publisher; not a security concern.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by years; no provenance is expected for this age and publisher track record.	ai	2026/04/24

Versions (showing 51 of 199)

View all versions

Version	Deps	Published
0.30.1	6 / 0	2018-09-27
0.29.13	6 / 0	2018-09-27
0.29.12	6 / 0	2018-09-26
0.29.11	6 / 0	2018-09-26
0.29.10	6 / 0	2018-09-25
0.29.9	6 / 0	2018-09-25
0.29.8	6 / 0	2018-09-24
0.29.7	5 / 0	2018-09-21
0.29.6	5 / 0	2018-09-19
0.29.5	5 / 0	2018-09-19
0.29.4	5 / 0	2018-09-17
0.29.3	5 / 0	2018-09-17
0.29.2	5 / 0	2018-09-15
0.29.1	5 / 0	2018-09-14
0.28.35	5 / 0	2018-09-13
0.28.34	5 / 0	2018-09-13
0.28.33	5 / 0	2018-09-12
0.28.32	5 / 0	2018-09-12
0.28.31	5 / 0	2018-09-12
0.28.30	5 / 0	2018-09-11
0.28.29	5 / 0	2018-09-07
0.28.28	5 / 0	2018-09-07
0.28.27	5 / 0	2018-09-05
0.28.26	5 / 0	2018-09-05
0.28.25	5 / 0	2018-09-04
0.28.24	5 / 0	2018-08-29
0.28.23	5 / 0	2018-08-28
0.28.22	5 / 0	2018-08-24
0.28.21	5 / 0	2018-08-24
0.28.20	5 / 0	2018-08-22
0.28.19	5 / 0	2018-08-21
0.28.18	5 / 0	2018-08-17
0.28.17	5 / 0	2018-08-16
0.28.16	5 / 0	2018-08-16
0.28.15	5 / 0	2018-08-16
0.28.14	5 / 0	2018-08-15
0.28.13	5 / 0	2018-08-15
0.28.12	5 / 0	2018-08-15
0.28.11	5 / 0	2018-08-15
0.28.10	5 / 0	2018-08-14
0.28.9	5 / 0	2018-08-13
0.28.8	5 / 0	2018-08-13
0.28.7	5 / 0	2018-08-11
0.28.6	5 / 0	2018-08-11
0.28.5	5 / 0	2018-08-11
0.28.4	5 / 0	2018-08-11
0.28.3	5 / 0	2018-08-11
0.28.2	5 / 0	2018-08-11
0.28.1	5 / 0	2018-08-11
0.15.9	5 / 0	2018-08-10
0.15.8	5 / 0	2018-08-10