@verii/metadata-registration
Package allows interacting with the smart contracts, based on ethers.js
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:eth-url-parser | AI (dependencies): eth-url-parser is a legitimate Ethereum URL parsing utility; its use is consistent with this package's blockchain/smart contract interaction purpose. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 encoding in code-jwk.js is standard JWK cryptographic key serialization, not payload obfuscation. Stable false positive for this crypto/blockchain package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in metadata-registry.js strips Ethereum 0x prefix — canonical pattern for reading blockchain hex values. Not malicious payload hiding. | ai | |
| phantom-deps | phantom-dep:@verii/blockchain-functions | AI (phantom-deps): Same-org monorepo dependency; indirect/runtime usage is expected in this package structure. | ai | |
| phantom-deps | phantom-dep:@verii/contract-permissions | AI (phantom-deps): Same-org monorepo dependency; indirect/runtime usage is expected in this package structure. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.1.3 | 9 / 5 | |
| 1.1.2 | 9 / 5 | |
| 1.1.1 | 9 / 5 | |
| 1.1.0 | 9 / 5 | |
| 1.0.9 | 9 / 5 | |
| 1.0.8 | 9 / 5 | |
| 1.0.7 | 9 / 5 | |
| 1.0.6 | 9 / 5 | |
| 1.0.5 | 9 / 5 | |
| 1.0.4 | 9 / 5 | |
| 1.0.3 | 9 / 5 | |
| 1.0.2 | 9 / 5 | |
| 1.0.1 | 9 / 5 | |
| 1.0.0 | 9 / 5 |
v1.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.