← Home

@superfluid-finance/ethereum-contracts

npm Repository Homepage
3
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

superfluid_financemiao.decentral.ee

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@safe-global/protocol-kit AI (phantom-deps): Package already uses multiple @safe-global/* deps; usage in build/ops scripts not detected by import scanner is expected. ai
phantom-deps phantom-dep:@safe-global/api-kit AI (phantom-deps): Safe multisig tooling dep used in ops scripts, not imported as JS module; stable FP for this package. ai
phantom-deps phantom-dep:@truffle/contract AI (phantom-deps): Truffle contract dep used via Truffle plugin system, not direct ES imports. ai
phantom-deps phantom-dep:@nomiclabs/hardhat-ethers AI (phantom-deps): Hardhat plugin loaded via hardhat config, not direct imports — standard Hardhat pattern. ai
phantom-deps phantom-dep:ethereumjs-tx AI (phantom-deps): Ethereum tooling dep used transitively via Truffle/Hardhat plugin system, not direct imports. ai
phantom-deps phantom-dep:@openzeppelin/contracts AI (phantom-deps): Referenced in Solidity/config files; not a JS import — standard for Solidity contract packages. ai
phantom-deps phantom-dep:@decentral.ee/web3-helpers AI (phantom-deps): Internal org helper dep; used via runtime tooling, not direct imports. ai
phantom-deps phantom-dep:ethereumjs-util AI (phantom-deps): Ethereum tooling dep used transitively via Truffle/Hardhat plugin system, not direct imports. ai

Versions (showing 3 of 3)

Version Deps Published
1.15.1 8 / 17
1.15.0 7 / 16
1.12.0 7 / 17

v1.15.1

2 findings
HIGH Phantom dependency: @safe-global/protocol-kit phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.15.0

7 findings
HIGH Phantom dependency: ethereumjs-tx phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: ethereumjs-util phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @truffle/contract phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @safe-global/api-kit phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @nomiclabs/hardhat-ethers phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @decentral.ee/web3-helpers phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.12.0

6 findings
HIGH Phantom dependency: ethereumjs-tx phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: ethereumjs-util phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @truffle/contract phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @nomiclabs/hardhat-ethers phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @decentral.ee/web3-helpers phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.