@x402/extensions No license 17 versions

@x402/extensions

npm Repository

17

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

carsonroscoe_cberik_cb

Keywords

x402paymentprotocolextensions

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): Stub/placeholder package at v0.0.1 from Coinbase's x402 protocol ecosystem. Tiny payload and minimal metadata are expected for an early-stage extensions namespace package.	ai	2026/04/26
provenance	no-provenance	AI (provenance): Coinbase-published package with legitimate repo; lack of Sigstore provenance is common and not a risk signal given the publisher's track record.	ai	2026/04/26
dependencies	unvetted-dep:jose	AI (dependencies): jose is a well-established, widely-used JWT/JWK library with millions of weekly downloads; not a risk for this package.	ai	2026/04/25
dependencies	unvetted-dep:viem	AI (dependencies): viem is a canonical Ethereum TypeScript library with broad ecosystem adoption; appropriate dependency for a payment protocol package.	ai	2026/04/25
dependencies	unvetted-dep:@signinwithethereum/siwe	AI (dependencies): Sign-In with Ethereum (SIWE) is the canonical EIP-4361 implementation; legitimate dependency for a Web3 extensions package.	ai	2026/04/25
dependencies	unvetted-dep:@x402/core	AI (dependencies): Sibling package from the same x402 Foundation org; expected internal dependency for the x402 protocol ecosystem.	ai	2026/04/25

Versions (showing 17 of 17)

Version	Deps	Published
2.14.0	9 / 15	2026-05-29
2.13.0	9 / 15	2026-05-22
2.12.0	9 / 15	2026-05-13
2.11.0	9 / 15	2026-04-27
2.10.0	9 / 15	2026-04-13
2.9.0	9 / 15	2026-04-02
2.8.0	9 / 15	2026-03-23
2.7.0	9 / 15	2026-03-16
2.6.0	7 / 15	2026-03-06
2.5.0	7 / 15	2026-02-26
2.4.0	7 / 15	2026-02-20
2.3.1	7 / 15	2026-02-11
2.3.0	7 / 15	2026-02-05
2.2.0	3 / 15	2026-01-09
2.1.0	3 / 15	2025-12-23
2.0.0	3 / 15	2025-12-11
0.0.1	0 / 0	2025-12-11

v2.14.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.9.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.