@reyaxyz/common
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:hex-decode | AI (semgrep): Standard Ethereum message hash hex-decoding via Buffer.from; no malicious payload. | ai | |
| semgrep | semgrep:shady-links-tlds | AI (semgrep): api.reya.xyz is the package's own API endpoint; .xyz TLD is the publisher's registered domain, not C2. | ai |
Versions (showing 51 of 144)
| Version | Deps | Published |
|---|---|---|
| 0.354.1 | 5 / 3 | |
| 0.354.0 | 5 / 3 | |
| 0.353.1 | 5 / 3 | |
| 0.353.0 | 5 / 3 | |
| 0.352.1 | 5 / 3 | |
| 0.352.0 | 5 / 3 | |
| 0.351.0 | 5 / 3 | |
| 0.350.0 | 5 / 3 | |
| 0.349.0 | 5 / 3 | |
| 0.348.0 | 5 / 3 | |
| 0.347.1 | 5 / 3 | |
| 0.347.0 | 5 / 3 | |
| 0.346.0 | 5 / 3 | |
| 0.345.0 | 5 / 3 | |
| 0.344.3 | 5 / 3 | |
| 0.344.2 | 5 / 3 | |
| 0.344.1 | 5 / 3 | |
| 0.344.0 | 5 / 3 | |
| 0.343.1 | 5 / 3 | |
| 0.343.0 | 5 / 3 | |
| 0.342.0 | 5 / 3 | |
| 0.341.0 | 5 / 3 | |
| 0.340.2 | 5 / 3 | |
| 0.340.1 | 5 / 3 | |
| 0.340.0 | 5 / 3 | |
| 0.339.0 | 5 / 2 | |
| 0.338.0 | 5 / 2 | |
| 0.337.0 | 5 / 2 | |
| 0.336.0 | 5 / 2 | |
| 0.335.0 | 5 / 2 | |
| 0.334.1 | 5 / 2 | |
| 0.334.0 | 5 / 2 | |
| 0.333.2 | 5 / 2 | |
| 0.333.1 | 5 / 2 | |
| 0.332.0 | 5 / 2 | |
| 0.331.2 | 5 / 2 | |
| 0.331.1 | 5 / 2 | |
| 0.331.0 | 5 / 2 | |
| 0.330.2 | 5 / 2 | |
| 0.330.1 | 5 / 2 | |
| 0.330.0 | 5 / 2 | |
| 0.329.2 | 5 / 2 | |
| 0.329.1 | 5 / 2 | |
| 0.329.0 | 5 / 2 | |
| 0.328.0 | 5 / 2 | |
| 0.327.5 | 5 / 2 | |
| 0.327.4 | 5 / 2 | |
| 0.327.3 | 5 / 2 | |
| 0.327.2 | 5 / 2 | |
| 0.327.1 | 5 / 2 | |
| 0.327.0 | 5 / 2 |
v0.354.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.354.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.353.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.353.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.352.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.352.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.351.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.350.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.349.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.348.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.343.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.342.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.341.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.340.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.340.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.340.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.339.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.338.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.337.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.336.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.335.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.334.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.334.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.333.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.333.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.332.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.331.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.331.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.331.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.330.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.330.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.330.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.329.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.329.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.329.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.328.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.327.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.327.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.327.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.327.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.327.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.327.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.