@polkadot/api — Greenflagged

Promise and RxJS wrappers around the Polkadot JS RPC

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jacogrpolkadotjsparitytech-ci

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): paritytech-ci is Parity Technologies' CI account (1999 approvals, 1549 days old); legitimate org-level publisher transition for @polkadot scope.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): paritytech-ci is the established Parity CI publisher for @polkadot packages; maintainer addition is a legitimate organizational change.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/api-metadata	AI (dependencies): @polkadot/api-metadata is a sibling package in the same polkadot-js monorepo, published by the same trusted maintainer (jacogr). This is a stable intra-org dependency, not a supply chain risk.	ai	2026/04/24
dependencies	unvetted-dep:@types/rx	AI (dependencies): @types/rx is a legitimate TypeScript type definition package for RxJS; expected dependency for this RxJS-based Polkadot API wrapper.	ai	2026/04/24
phantom-deps	phantom-dep:@types/rx	AI (phantom-deps): @types/rx is a TypeScript type declaration package loaded by convention; phantom-dep finding is a stable false positive for this package.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/rpc-rx	AI (dependencies): @polkadot/rpc-rx is a sibling package in the official Polkadot JS ecosystem, published by the same trusted maintainer (jacogr).	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/api-jsonrpc	AI (dependencies): First-party sibling package in the @polkadot monorepo, published by the same trusted maintainer at matching version constraints.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/api-format	AI (dependencies): First-party @polkadot/* scoped package from the same trusted publisher (jacogr). Not a third-party risk.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/params	AI (dependencies): First-party @polkadot/* scoped package from the same trusted publisher (jacogr). Not a third-party risk.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/jsonrpc	AI (dependencies): First-party @polkadot/* scoped package from the same trusted publisher (jacogr). Not a third-party risk.	ai	2026/04/24
dependencies	unvetted-dep:@polkadot/api-provider	AI (dependencies): First-party @polkadot/* scoped package from the same trusted publisher (jacogr). Not a third-party risk.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/api-provider	AI (phantom-deps): Phantom dep is a sibling package in the same @polkadot monorepo scope; this is a known packaging pattern for this org and not a security concern.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by years; 228k weekly downloads and 3082-day history confirm legitimacy without attestation.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/types-create	AI (phantom-deps): Sibling monorepo package; declared as dependency for transitive use, common pattern in polkadot-js monorepo.	ai	2026/04/21
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 127.0.0.1:9933/9944 are localhost default URLs for a local Substrate/Polkadot node — standard dev config for a blockchain API library, not malicious.	ai	2026/04/21
typosquat	typosquat.levenshtein:ajv	AI (typosquat): @polkadot/api is a major blockchain SDK from Parity Technologies, not a typosquat of 'ajv'. Levenshtein match is a false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:joi	AI (typosquat): @polkadot/api is a major blockchain SDK from Parity Technologies, not a typosquat of 'joi'. Levenshtein match is a false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:pg	AI (typosquat): @polkadot/api is a major blockchain SDK from Parity Technologies, not a typosquat of 'pg'. Levenshtein match is a false positive.	ai	2026/04/21
typosquat	typosquat.levenshtein:hapi	AI (typosquat): @polkadot/api is a major blockchain SDK from Parity Technologies, not a typosquat of 'hapi'. Scoped package with completely different purpose.	ai	2026/04/21
phantom-deps	phantom-dep:@polkadot/types-augment	AI (phantom-deps): Sibling monorepo package; declared as dependency for transitive use, common pattern in polkadot-js monorepo.	ai	2026/04/21

Versions (showing 100 of 951)

Version	Deps	Published
16.5.6	17 / 0	2026-03-23
16.5.4	17 / 0	2025-12-09
16.5.3	17 / 0	2025-11-25
16.5.2	17 / 0	2025-11-11
16.5.1	17 / 0	2025-11-06
16.4.9	17 / 0	2025-10-14
16.4.8	17 / 0	2025-09-23
16.4.7	17 / 0	2025-09-15
16.4.6	17 / 0	2025-08-26
16.4.5	17 / 0	2025-08-20
16.4.4	17 / 0	2025-08-13
16.4.3	17 / 0	2025-07-29
16.4.2	17 / 0	2025-07-22
16.4.1	17 / 0	2025-07-09
16.3.1	17 / 0	2025-07-01
16.2.2	17 / 0	2025-06-17
16.2.1	17 / 0	2025-06-10
16.1.2	17 / 0	2025-06-04
16.1.1	17 / 0	2025-05-29
16.0.1	17 / 0	2025-05-19
15.10.2	17 / 0	2025-05-13
15.10.1	17 / 0	2025-05-13
15.9.3	17 / 0	2025-05-06
15.9.2	17 / 0	2025-04-15
15.9.1	17 / 0	2025-03-27
15.8.1	17 / 0	2025-03-10
15.7.2	17 / 0	2025-03-03
15.7.1	17 / 0	2025-02-25
15.6.1	17 / 0	2025-02-17
15.5.2	17 / 0	2025-02-03
15.5.1	17 / 0	2025-01-27
15.4.1	17 / 0	2025-01-20
15.3.1	17 / 0	2025-01-12
15.2.1	17 / 0	2025-01-06
15.1.1	17 / 0	2024-12-30
15.0.2	17 / 0	2024-12-13
15.0.1	17 / 0	2024-11-27
14.3.1	17 / 0	2024-11-12
14.2.3	17 / 0	2024-11-05
14.2.2	17 / 0	2024-10-31
14.2.1	17 / 0	2024-10-28
14.1.1	17 / 0	2024-10-21
14.0.1	17 / 0	2024-10-02
13.2.1	17 / 0	2024-09-23
13.1.1	17 / 0	2024-09-18
13.0.1	17 / 0	2024-09-10
12.4.2	17 / 0	2024-08-21
12.4.1	17 / 0	2024-08-19
12.3.1	17 / 0	2024-08-05
12.2.3	17 / 0	2024-07-29
12.2.2	17 / 0	2024-07-25
12.2.1	17 / 0	2024-07-13
12.1.1	17 / 0	2024-07-02
12.0.2	17 / 0	2024-06-27
12.0.1	17 / 0	2024-06-25
11.3.1	17 / 0	2024-06-17
11.2.1	17 / 0	2024-05-29
11.1.1	17 / 0	2024-05-21
11.0.3	17 / 0	2024-05-08
11.0.2	17 / 0	2024-04-24
11.0.1	17 / 0	2024-04-23
10.13.1	17 / 0	2024-04-16
10.12.6	17 / 0	2024-04-03
10.12.5	17 / 0	2024-04-02
10.12.4	17 / 0	2024-03-19
10.12.3	17 / 0	2024-03-18
10.12.2	17 / 0	2024-03-11
10.12.1	17 / 0	2024-03-04
10.11.3	17 / 0	2024-02-27
10.11.2	17 / 0	2023-12-18
10.11.1	17 / 0	2023-11-18
10.10.1	17 / 0	2023-10-14
10.9.1	17 / 0	2023-06-12
10.8.1	17 / 0	2023-06-05
10.7.3	17 / 0	2023-05-28
10.7.2	17 / 0	2023-05-21
10.7.1	17 / 0	2023-05-13
10.6.1	17 / 0	2023-05-07
10.5.1	17 / 0	2023-04-29
10.4.1	17 / 0	2023-04-22
10.3.4	17 / 0	2023-04-16
10.3.3	17 / 0	2023-04-15
10.3.2	17 / 0	2023-04-10
10.3.1	17 / 0	2023-04-09
10.2.2	17 / 0	2023-04-01
10.2.1	17 / 0	2023-03-25
10.1.4	17 / 0	2023-03-19
10.1.3	17 / 0	2023-03-15
10.1.2	17 / 0	2023-03-11
10.1.1	17 / 0	2023-03-11
10.0.1	17 / 0	2023-03-05
9.14.2	17 / 0	2023-02-19
9.14.1	17 / 0	2023-02-12
9.13.6	17 / 0	2023-02-05
9.13.5	17 / 0	2023-02-02
9.13.4	17 / 0	2023-02-01
9.13.3	17 / 0	2023-02-01
9.13.2	17 / 0	2023-01-29
9.13.1	17 / 0	2023-01-29
9.12.1	17 / 0	2023-01-22

Showing 100 of 951 Next page →

v16.5.6

2 findings

HIGH Publisher changed: polkadotjs → paritytech-ci (on 2026-03-23) provenance

This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.