@quicknode/sdk
A SDK from [QuickNode](https://www.quicknode.com/) making it easy for developers to interact with QuickNode's services.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): napi-rs native addon; .node binaries are the intended distribution mechanism for this package. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('ldd --version') is standard napi-rs musl detection boilerplate, not arbitrary command execution. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used solely for ldd musl detection in napi-rs loader; stable false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): NAPI_RS_NATIVE_LIBRARY_PATH override is standard napi-rs escape hatch for custom binary paths. | ai |
v3.1.1
2 findingsPackage contains compiled binaries that could be backdoors: • index.darwin-arm64.node
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
2 findingsPackage contains compiled binaries that could be backdoors: • index.darwin-arm64.node
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.