@subql/utils
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (lodash, @polkadot/util-crypto, @subql/x-sequelize) are all legitimate, well-known packages consistent with this blockchain utility package's ecosystem context. | ai | |
| dependencies | unvetted-dep:sequelize | AI (dependencies): sequelize is a well-known ORM; its use in SubQuery's utility package is expected for a blockchain indexer that manages database schemas. | ai | |
| phantom-deps | phantom-dep:ipfs-http-client | AI (phantom-deps): SubQuery legitimately uses IPFS; this phantom-dep finding reflects a packaging pattern, not a security risk. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Phantom dependency used indirectly via config; stable pattern for this package. | ai | |
| license | copyleft-license:GPL-3.0 | AI (license): GPL-3.0 is a legitimate license choice for SubQuery utilities; no incompatibility with the package's purpose. | ai | |
| phantom-deps | phantom-dep:detect-port | AI (phantom-deps): Legitimate transitive dependency referenced in build/config; stable for this package. | ai | |
| phantom-deps | phantom-dep:tar | AI (phantom-deps): Legitimate transitive dependency referenced in build/config; stable for this package. | ai | |
| phantom-deps | phantom-dep:ansi-styles | AI (phantom-deps): Legitimate transitive dependency referenced in build/config; stable for this package. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Legitimate transitive dependency referenced in build/config; stable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal paired with addition suggests legitimate team transition, not compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer transitions are normal in established projects; no other takeover indicators present. | ai | |
| provenance | publisher-changed | AI (provenance): SubQuery project migrated publishing to GitHub Actions CI/CD; consistent with repo metadata, no code changes, and established package history across 79 versions. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best practice but not a blocker for established publishers. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Low README quality and missing keywords are typical for internal utilities in established monorepos; not indicative of spam. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Missing description is common in monorepo utilities; not indicative of malice given publisher history. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 408-day gap is notable but consistent with monorepo utilities that don't require frequent releases; publisher history supports legitimacy. | ai | |
| dependencies | unvetted-dep:detect-port | AI (dependencies): detect-port is a standard utility; unvetted status is expected for utility dependencies. | ai | |
| dependencies | unvetted-dep:pino | AI (dependencies): pino is a standard logging library; unvetted status is expected for utility dependencies. | ai | |
| dependencies | unvetted-dep:rotating-file-stream | AI (dependencies): rotating-file-stream is a legitimate log rotation library; no security concern. | ai | |
| dependencies | unvetted-dep:@polkadot/util-crypto | AI (dependencies): @polkadot/util-crypto is a core Polkadot ecosystem library; expected dependency for SubQuery packages. | ai | |
| dependencies | unvetted-dep:@subql/x-sequelize | AI (dependencies): @subql/x-sequelize is a pinned pre-release version from the same SubQuery org; intentional versioning for this utility package. | ai | |
| dependencies | unvetted-dep:@polkadot/util | AI (dependencies): @polkadot/util is a core Polkadot ecosystem library; expected dependency for SubQuery packages. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 2.21.0 | 11 / 2 | |
| 2.17.2 | 11 / 2 | |
| 2.15.0 | 11 / 2 | |
| 2.14.0 | 11 / 2 | |
| 2.4.1 | 15 / 1 | |
| 1.3.1 | 14 / 1 | |
| 1.2.0 | 13 / 1 |
v2.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.