@t2000/sdk
TypeScript SDK for AI agent bank accounts on Sui — send, save, borrow, swap. NAVI lending + Cetus aggregator routing, sponsored gas, zkLogin compatible.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase driven by inlining the blake2b WASM binary; not injected payload. | ai | |
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Same blake2b WASM binary; benign cryptographic primitive bundled into dist. | ai | |
| source-diff | encoded-string-file:dist/adapters/index.cjs | AI (source-diff): Encoded string is a blake2b WASM binary bundled inline — standard cryptographic dependency, not malicious. | ai | |
| source-diff | encoded-string-file:dist/index.cjs | AI (source-diff): Same blake2b WASM binary; benign cryptographic primitive bundled into dist. | ai | |
| source-diff | encoded-string-file:dist/adapters/index.js | AI (source-diff): Same blake2b WASM binary; benign cryptographic primitive bundled into dist. | ai | |
| phantom-deps | phantom-dep:mppx | AI (phantom-deps): Referenced in config/build files rather than direct imports; consistent with a build-time plugin pattern. | ai | |
| phantom-deps | phantom-dep:@t2000/mpp-sui | AI (phantom-deps): Same-org scoped package; likely re-exported rather than directly imported in source. | ai | |
| phantom-deps | phantom-dep:@naviprotocol/lending | AI (phantom-deps): @naviprotocol/lending is an explicit runtime dep; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:@suilend/sui-fe | AI (phantom-deps): Transitive/config dependency for Suilend integration; consistent with SDK's DeFi purpose. | ai | |
| phantom-deps | phantom-dep:@pythnetwork/pyth-sui-js | AI (phantom-deps): Transitive/config dependency for Pyth oracle integration; consistent with SDK's DeFi purpose. | ai | |
| provenance | no-provenance | AI (provenance): Package is an established SDK with 275 versions and a trusted publisher; lack of Sigstore provenance is a best-practice gap, not a security risk for this package. | ai | |
| phantom-deps | phantom-dep:@zodios/core | AI (phantom-deps): @zodios/core is listed as a runtime dependency in package.json; phantom detection likely reflects indirect/config usage rather than a security issue. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@cetusprotocol/sui-clmm-sdk | AI (dependencies): @cetusprotocol/sui-clmm-sdk is the official Cetus Protocol CLMM SDK for Sui DeFi; its use is expected and appropriate for this DeFi/swap SDK. | ai |
Versions (showing 51 of 99)
| Version | Deps | Published |
|---|---|---|
| 4.2.1 | 11 / 7 | |
| 4.2.0 | 11 / 7 | |
| 4.1.4 | 11 / 7 | |
| 4.1.3 | 11 / 7 | |
| 4.1.2 | 11 / 7 | |
| 4.0.2 | 11 / 7 | |
| 2.20.0 | 11 / 7 | |
| 0.47.1 | 9 / 5 | |
| 0.47.0 | 9 / 5 | |
| 0.19.21 | 10 / 5 | |
| 0.19.20 | 10 / 5 | |
| 0.19.17 | 10 / 5 | |
| 0.19.15 | 10 / 5 | |
| 0.19.6 | 4 / 10 | |
| 0.18.25 | 2 / 10 | |
| 0.18.16 | 2 / 10 | |
| 0.16.30 | 3 / 5 | |
| 0.16.26 | 3 / 5 | |
| 0.16.23 | 3 / 5 | |
| 0.16.22 | 3 / 5 | |
| 0.16.21 | 3 / 5 | |
| 0.16.20 | 3 / 5 | |
| 0.16.19 | 3 / 5 | |
| 0.16.18 | 3 / 5 | |
| 0.16.17 | 3 / 5 | |
| 0.16.15 | 3 / 5 | |
| 0.16.14 | 3 / 5 | |
| 0.16.12 | 3 / 5 | |
| 0.16.11 | 3 / 5 | |
| 0.16.9 | 3 / 5 | |
| 0.16.8 | 3 / 5 | |
| 0.16.7 | 3 / 5 | |
| 0.16.2 | 3 / 5 | |
| 0.16.1 | 3 / 5 | |
| 0.16.0 | 3 / 5 | |
| 0.15.3 | 3 / 5 | |
| 0.15.2 | 3 / 5 | |
| 0.15.1 | 3 / 5 | |
| 0.15.0 | 3 / 5 | |
| 0.14.1 | 3 / 5 | |
| 0.14.0 | 3 / 5 | |
| 0.13.0 | 3 / 5 | |
| 0.11.2 | 3 / 5 | |
| 0.11.1 | 3 / 5 | |
| 0.11.0 | 3 / 5 | |
| 0.10.4 | 3 / 5 | |
| 0.10.3 | 3 / 5 | |
| 0.10.2 | 3 / 5 | |
| 0.10.1 | 3 / 5 | |
| 0.10.0 | 3 / 5 | |
| 0.9.9 | 4 / 5 |
v4.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.47.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.47.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.19.20
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.17
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.15
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.6
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.25
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.16
6 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.30
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.26
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.15
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.14
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.12
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.11
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: funkii.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.