@subql/common-avalanche
1
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
onfinality-adminjay_ji
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:vm2 | AI (dependencies): vm2 is used intentionally in SubQuery's indexer framework for sandboxed execution; consistent with the package's purpose across versions. | ai | |
| dependencies | unvetted-dep:pino | AI (dependencies): pino is a standard logging library; its use here is routine and appropriate for this package type. | ai | |
| dependencies | unvetted-dep:sequelize | AI (dependencies): sequelize is a mainstream ORM; its use in SubQuery's common tooling is expected and appropriate. | ai | |
| provenance | missing-githead | AI (provenance): gitHead absence is a side effect of the publish environment change during org transition; no malicious intent. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Niche Avalanche-specific package; infrequent updates are normal for chain-specific SubQuery modules. | ai | |
| provenance | publisher-changed | AI (provenance): SubQuery transitioned publishing from onfinality-admin to jay_ji as part of org restructuring; jay_ji has strong track record (270 approved). | ai | |
| phantom-deps | phantom-dep:flatted | AI (phantom-deps): flatted is a standard serialization utility; phantom-dep finding is benign for this framework package. | ai | |
| phantom-deps | phantom-dep:@polkadot/util | AI (phantom-deps): @polkadot/util is a standard blockchain utility; phantom-dep finding is benign for this SubQuery framework package. | ai | |
| phantom-deps | phantom-dep:reflect-metadata | AI (phantom-deps): reflect-metadata is a known implicit runtime dependency for TypeScript decorators; phantom-dep finding is expected and benign. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql is a core SubQuery dependency used in schema processing; phantom-dep is expected for this framework package. | ai | |
| phantom-deps | phantom-dep:pino | AI (phantom-deps): pino is a legitimate logging dependency; phantom-dep finding reflects indirect/config usage common in SubQuery framework packages. | ai | |
| phantom-deps | phantom-dep:sequelize | AI (phantom-deps): sequelize is a legitimate ORM dependency; phantom-dep finding reflects indirect/config usage common in SubQuery framework packages. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): js-yaml is a standard config parsing dependency; phantom-dep finding is benign for this framework package. | ai | |
| phantom-deps | phantom-dep:graphql-tag | AI (phantom-deps): graphql-tag is a standard GraphQL utility; phantom-dep finding is benign for this framework package. | ai | |
| phantom-deps | phantom-dep:bn.js | AI (phantom-deps): bn.js is a standard big-number library for blockchain packages; phantom-dep finding is benign. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Empty description is a known quirk of this SubQuery package; not a malware indicator given the established publisher and ecosystem context. | ai | |
| provenance | no-provenance | AI (provenance): Package predates widespread Sigstore provenance adoption on npm; consistent with other SubQuery packages from this publisher. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.1.3 | 14 / 3 |