@polkadot/api-format
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @polkadot/primitives is a first-party same-org dependency in the polkadot-js monorepo; adding intra-org deps is a normal refactoring pattern and not a supply-chain risk for this package. | ai | |
| dependencies | unvetted-dep:@polkadot/primitives-json | AI (dependencies): Same-org @polkadot/ scoped dependency from the same trusted publisher (jacogr); consistent with the package's ecosystem and not a meaningful risk vector. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Legacy package from highly trusted polkadot-js maintainer (jacogr, 1259/0 record). Long dormancy is expected for older stable utility packages in this ecosystem; no corroborating compromise signals. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is a framework-scoped Babel 7 runtime helper package; its phantom-dep status is expected for packages using Babel transforms. Stable for this package. | ai | |
| phantom-deps | phantom-dep:@polkadot/api-jsonrpc | AI (phantom-deps): Same-org @polkadot scoped package; phantom-dep finding is expected for intra-monorepo dependencies that may be used transitively. | ai | |
| phantom-deps | phantom-dep:babel-runtime | AI (phantom-deps): babel-runtime is a standard Babel transpilation helper used at runtime via transpiled output, not direct imports. This is expected for Babel 6-era packages. | ai | |
| phantom-deps | phantom-dep:@polkadot/jsonrpc | AI (phantom-deps): Phantom dep is a same-org sibling package from the same trusted publisher; not a security concern. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by years; no provenance is expected for this age and publisher track record. | ai |
Versions (showing 99 of 199)
| Version | Deps | Published |
|---|---|---|
| 0.12.9 | 4 / 0 | |
| 0.12.8 | 4 / 0 | |
| 0.12.7 | 4 / 0 | |
| 0.12.6 | 4 / 0 | |
| 0.12.5 | 4 / 0 | |
| 0.12.4 | 4 / 0 | |
| 0.12.3 | 4 / 0 | |
| 0.12.2 | 4 / 0 | |
| 0.12.1 | 4 / 0 | |
| 0.11.3 | 4 / 0 | |
| 0.11.2 | 4 / 0 | |
| 0.11.1 | 4 / 0 | |
| 0.10.13 | 4 / 0 | |
| 0.10.12 | 4 / 0 | |
| 0.10.11 | 4 / 0 | |
| 0.10.10 | 4 / 0 | |
| 0.10.9 | 4 / 0 | |
| 0.10.8 | 4 / 0 | |
| 0.10.7 | 4 / 0 | |
| 0.10.6 | 4 / 0 | |
| 0.10.5 | 4 / 0 | |
| 0.10.4 | 4 / 0 | |
| 0.10.3 | 3 / 1 | |
| 0.10.2 | 3 / 1 | |
| 0.10.1 | 3 / 1 | |
| 0.9.16 | 3 / 1 | |
| 0.9.15 | 3 / 1 | |
| 0.9.14 | 3 / 1 | |
| 0.9.13 | 3 / 1 | |
| 0.9.12 | 3 / 1 | |
| 0.9.11 | 3 / 1 | |
| 0.9.10 | 3 / 1 | |
| 0.9.9 | 3 / 1 | |
| 0.9.8 | 3 / 1 | |
| 0.9.7 | 3 / 1 | |
| 0.9.6 | 3 / 1 | |
| 0.9.5 | 3 / 1 | |
| 0.9.4 | 3 / 1 | |
| 0.9.3 | 3 / 1 | |
| 0.9.2 | 3 / 1 | |
| 0.9.1 | 3 / 1 | |
| 0.8.18 | 3 / 1 | |
| 0.8.17 | 3 / 1 | |
| 0.8.16 | 3 / 1 | |
| 0.8.15 | 4 / 1 | |
| 0.8.14 | 3 / 1 | |
| 0.8.13 | 3 / 1 | |
| 0.8.12 | 3 / 1 | |
| 0.8.11 | 3 / 1 | |
| 0.8.10 | 3 / 1 | |
| 0.8.9 | 3 / 1 | |
| 0.8.8 | 3 / 1 | |
| 0.8.7 | 3 / 1 | |
| 0.8.6 | 3 / 1 | |
| 0.8.5 | 3 / 1 | |
| 0.8.4 | 3 / 1 | |
| 0.8.3 | 3 / 1 | |
| 0.8.2 | 3 / 1 | |
| 0.8.1 | 3 / 1 | |
| 0.7.1 | 3 / 1 | |
| 0.6.12 | 3 / 1 | |
| 0.6.11 | 3 / 1 | |
| 0.6.10 | 3 / 1 | |
| 0.6.9 | 3 / 1 | |
| 0.6.8 | 3 / 1 | |
| 0.6.7 | 3 / 1 | |
| 0.6.6 | 3 / 1 | |
| 0.6.5 | 3 / 1 | |
| 0.6.4 | 2 / 1 | |
| 0.6.3 | 2 / 1 | |
| 0.6.2 | 2 / 1 | |
| 0.6.1 | 2 / 1 | |
| 0.5.13 | 2 / 1 | |
| 0.5.12 | 2 / 1 | |
| 0.5.11 | 2 / 1 | |
| 0.5.10 | 2 / 1 | |
| 0.5.9 | 2 / 1 | |
| 0.5.8 | 2 / 1 | |
| 0.5.7 | 2 / 1 | |
| 0.5.6 | 2 / 1 | |
| 0.5.5 | 2 / 1 | |
| 0.5.4 | 2 / 2 | |
| 0.5.3 | 2 / 2 | |
| 0.5.2 | 2 / 2 | |
| 0.5.1 | 2 / 2 | |
| 0.3.12 | 2 / 2 | |
| 0.3.11 | 2 / 2 | |
| 0.3.10 | 2 / 2 | |
| 0.3.9 | 2 / 2 | |
| 0.3.8 | 2 / 2 | |
| 0.3.7 | 2 / 2 | |
| 0.3.6 | 2 / 2 | |
| 0.3.5 | 2 / 2 | |
| 0.3.4 | 2 / 2 | |
| 0.3.3 | 1 / 8 | |
| 0.3.2 | 2 / 29 | |
| 0.3.1 | 2 / 29 | |
| 0.2.2 | 2 / 29 | |
| 0.2.1 | 2 / 29 |
v0.12.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.