@sudoplatform/sudo-secure-communications

The Secure Communications SDK allows you to offer your users' secure communications while preserving their privacy. Please see the [Sudo Platform Developer Docs](https://docs.sudoplatform.com/guides/securecommunications) for an overview of Secure Communic

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

neilreadshawtbartleysudoplatform-engineeringbkchy

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions CI/CD with SLSA provenance attestation; consistent with legitimate automation migration for sudoplatform org.	ai	2026/05/11
phantom-deps	phantom-dep:patch-package	AI (phantom-deps): patch-package is used in postinstall script; phantom-dep heuristic is a false positive here.	ai	2026/04/29
phantom-deps	phantom-dep:postinstall-postinstall	AI (phantom-deps): postinstall-postinstall is a known helper for chaining postinstall scripts; false positive.	ai	2026/04/29
phantom-deps	phantom-dep:fp-ts	AI (phantom-deps): Functional programming library likely used transitively or in bundled output; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:redux	AI (phantom-deps): State management library referenced in config; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:fflate	AI (phantom-deps): Compression library referenced in config; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:lodash	AI (phantom-deps): Utility library referenced in config; stable false positive.	ai	2026/04/29
install-scripts	install-script:postinstall	AI (install-scripts): postinstall runs patch-package, a standard patching utility with no arbitrary code execution risk.	ai	2026/04/29
phantom-deps	phantom-dep:newtype-ts	AI (phantom-deps): Type utility referenced in config; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:async-mutex	AI (phantom-deps): Mutex utility referenced in config; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@matrix-org/matrix-sdk-crypto-wasm	AI (phantom-deps): Platform-specific binary package; phantom-dep heuristic is a known false positive for WASM packages.	ai	2026/04/29
phantom-deps	phantom-dep:@aws-sdk/lib-storage	AI (phantom-deps): AWS SDK framework-scoped package; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@aws-sdk/credential-provider-cognito-identity	AI (phantom-deps): AWS SDK framework-scoped package; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@types/md5	AI (phantom-deps): Type definitions package; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:monocle-ts	AI (phantom-deps): Optics library referenced in config; stable false positive.	ai	2026/04/29

Versions (showing 6 of 6)

Version	Deps	Published
5.5.2	24 / 43	2026-04-29
5.5.1	24 / 43	2026-04-27
5.5.0	24 / 43	2026-04-23
5.4.0	24 / 43	2026-04-01
5.3.2	24 / 43	2026-03-30
0.0.1	0 / 0	2025-11-18

v5.5.1

2 findings

HIGH Publisher changed: sudoplatform-engineering → GitHub Actions (on 2026-04-27) provenance

This version was published by a different npm account than previous versions on 2026-04-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.5.0

2 findings

HIGH Publisher changed: sudoplatform-engineering → GitHub Actions (on 2026-04-23) provenance

This version was published by a different npm account than previous versions on 2026-04-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.0

2 findings

HIGH Publisher changed: sudoplatform-engineering → GitHub Actions (on 2026-04-01) provenance

This version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.2

2 findings

HIGH Publisher changed: sudoplatform-engineering → GitHub Actions (on 2026-03-30) provenance

This version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.