@suilend/sdk
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@7kprotocol/sdk-ts | AI (dependencies): 7k Protocol is a legitimate Sui ecosystem swap aggregator; its SDK is a natural dependency for @suilend/sdk's swap functionality. | ai | |
| dependencies | unvetted-dep:@flowx-finance/sdk | AI (dependencies): FlowX Finance is a known Sui ecosystem DEX/aggregator; its SDK is a legitimate dependency for swap routing in a Sui DeFi lending SDK. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 112 versions and 741-day history; lack of provenance is common and not a disqualifying signal here. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Suilend SDK is a legitimate DeFi protocol SDK; sparse README and missing keywords are cosmetic issues, not spam indicators. | ai | |
| phantom-deps | phantom-dep:crypto-js | AI (phantom-deps): crypto-js declared in dependencies but not directly imported; minor packaging hygiene issue, not a security risk for this SDK. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 3.0.3 | 11 / 3 | |
| 3.0.2 | 11 / 3 | |
| 3.0.1 | 11 / 3 | |
| 2.0.7 | 11 / 3 | |
| 2.0.6 | 11 / 3 | |
| 2.0.5 | 11 / 3 | |
| 2.0.4 | 11 / 3 | |
| 2.0.3 | 11 / 3 | |
| 2.0.2 | 11 / 3 | |
| 2.0.1 | 11 / 3 | |
| 2.0.0 | 11 / 3 | |
| 1.1.99 | 11 / 3 | |
| 1.1.98 | 11 / 3 | |
| 1.1.97 | 11 / 3 | |
| 1.1.95 | 11 / 3 | |
| 1.1.90 | 12 / 3 |
v3.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.99
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.98
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.95
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.