@sphinx-labs/plugins
2
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
sam-goldmanryan-sphinx
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@openzeppelin/hardhat-upgrades | AI (phantom-deps): Hardhat plugin referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:solidity-ast | AI (phantom-deps): Solidity tooling referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:@eth-optimism/contracts | AI (phantom-deps): Contract dependency referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:@openzeppelin/contracts | AI (phantom-deps): Contract dependency referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:@ethersproject/bignumber | AI (phantom-deps): Ethers utility referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:sinon | AI (phantom-deps): Testing dependency referenced in test config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:yesno | AI (phantom-deps): CLI dependency referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): Runtime polyfill; stable implicit dependency for this package. | ai | |
| phantom-deps | phantom-dep:p-limit | AI (phantom-deps): Utility dependency referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:@swc/core | AI (phantom-deps): Build tool referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:node-fetch | AI (phantom-deps): Network utility referenced in config; stable false positive for build-tool packages. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript is a build-time tool declared for ts-node usage; phantom dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:ts-node | AI (phantom-deps): ts-node is used in scripts/config; phantom dep pattern is expected for this monorepo plugin package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established package with 85 versions and 1000 days of history. README link dump reflects blockchain tooling documentation, not phishing. No keywords is minor. | ai | |
| phantom-deps | phantom-dep:hardhat | AI (phantom-deps): Hardhat is a peer dependency/config-level dep for a Hardhat plugin; not directly imported but required at runtime by the plugin host. | ai |
v0.33.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.