@restatedev/restate-sdk

Typescript SDK for Restate

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

stephanewenrestateslinkydeveloper-restatedevasoli_restatepavel.tcholakovtill_restatenikrestate

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): SLSA Sigstore attestation present; gitHead absence is a cosmetic metadata gap, not a supply-chain risk for this package.	ai	2026/05/13
maintainer-change	maintainer-removed	AI (maintainer-change): CI/CD-only publish model; maintainer list change reflects workflow migration, not a takeover.	ai	2026/05/13
source-diff	encoded-string-file:dist/cjs/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js	AI (source-diff): Base64-encoded WebAssembly binary via wasm-bindgen; standard pattern for this SDK's WASM core.	ai	2026/05/13
source-diff	encoded-string-file:dist/esm/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js	AI (source-diff): Same wasm-bindgen WASM binary in ESM build; stable false positive for this package.	ai	2026/05/13

Versions (showing 16 of 16)

Version	Deps	Published
1.14.5	1 / 1	2026-06-04
1.14.4	1 / 1	2026-05-20
1.14.3	1 / 1	2026-05-12
1.14.2	1 / 1	2026-05-05
1.14.1	1 / 1	2026-04-30
1.10.1	1 / 1	2026-01-05
1.10.0	1 / 1	2026-01-05
1.9.0	1 / 1	2025-09-16
1.8.4	1 / 1	2025-08-27
1.8.0	1 / 1	2025-07-31
1.7.3	1 / 1	2025-07-07
1.7.2	1 / 1	2025-07-02
1.7.1	1 / 1	2025-07-02
1.7.0	1 / 1	2025-07-02
1.6.1	1 / 1	2025-06-12
1.6.0	1 / 1	2025-05-20

v1.14.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.14.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.14.3

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.14.2

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v1.14.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.0

3 findings

HIGH Long encoded string in modified file: dist/cjs/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/esm/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.4

3 findings

HIGH Long encoded string in modified file: dist/cjs/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/esm/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.0

3 findings

HIGH Long encoded string in modified file: dist/cjs/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/esm/src/endpoint/handlers/vm/sdk_shared_core_wasm_bindings.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.