@xyo-network/chain-orchestration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to org account 'xyo' with 3589 approved packages; consistent with org-level publishing consolidation for xylabs packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Growth reflects legitimate refactor adding first-party @xyo-network modules, not injected foreign code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase consistent with adding 17 first-party deps and their source files in a monorepo refactor. | ai | |
| provenance | missing-githead | AI (provenance): High-volume trusted publisher; missing gitHead likely reflects CI pipeline change, not malicious publish. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-sdk | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-orchestration-storage | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-orchestration-evm | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-services | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai |
Versions (showing 51 of 225)
| Version | Deps | Published |
|---|---|---|
| 2.0.1 | 9 / 93 | |
| 2.0.0 | 9 / 93 | |
| 1.23.2 | 9 / 93 | |
| 1.20.29 | 9 / 95 | |
| 1.20.28 | 9 / 95 | |
| 1.20.27 | 9 / 95 | |
| 1.20.26 | 16 / 70 | |
| 1.20.25 | 16 / 70 | |
| 1.20.24 | 16 / 70 | |
| 1.20.23 | 16 / 70 | |
| 1.20.22 | 16 / 70 | |
| 1.20.21 | 16 / 70 | |
| 1.20.20 | 15 / 70 | |
| 1.20.19 | 15 / 70 | |
| 1.20.18 | 16 / 70 | |
| 1.20.17 | 18 / 74 | |
| 1.20.16 | 18 / 74 | |
| 1.20.15 | 17 / 26 | |
| 1.20.14 | 17 / 26 | |
| 1.20.13 | 17 / 26 | |
| 1.20.12 | 17 / 26 | |
| 1.20.11 | 17 / 26 | |
| 1.20.10 | 17 / 25 | |
| 1.20.9 | 17 / 25 | |
| 1.20.8 | 17 / 25 | |
| 1.20.5 | 16 / 23 | |
| 1.20.4 | 16 / 23 | |
| 1.20.3 | 16 / 23 | |
| 1.20.2 | 16 / 23 | |
| 1.20.1 | 16 / 23 | |
| 1.20.0 | 16 / 23 | |
| 1.19.18 | 16 / 22 | |
| 1.19.17 | 20 / 23 | |
| 1.19.16 | 20 / 23 | |
| 1.19.15 | 21 / 24 | |
| 1.19.14 | 24 / 13 | |
| 1.19.13 | 24 / 13 | |
| 1.19.12 | 24 / 13 | |
| 1.19.11 | 24 / 13 | |
| 1.19.10 | 24 / 13 | |
| 1.19.9 | 24 / 13 | |
| 1.19.8 | 25 / 13 | |
| 1.19.7 | 24 / 13 | |
| 1.19.6 | 24 / 13 | |
| 1.19.5 | 24 / 14 | |
| 1.19.4 | 24 / 14 | |
| 1.19.3 | 24 / 14 | |
| 1.19.2 | 24 / 14 | |
| 1.19.1 | 24 / 14 | |
| 1.19.0 | 24 / 14 | |
| 1.18.5 | 24 / 14 |
v2.0.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.29
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.28
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.27
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.26
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.25
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.24
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.23
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.22
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.21
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.20
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.19
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.18
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.17
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.16
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jonesmac.
This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.15
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.14
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.13
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.12
2 findingsThis version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.11
2 findingsThis version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.10
2 findingsThis version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.5
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.18
2 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.17
2 findingsThis version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.16
2 findingsThis version was published by a different npm account than previous versions on 2026-02-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.15
2 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.14
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.13
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.12
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.11
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.10
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.9
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.8
2 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.7
2 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.6
2 findingsThis version was published by a different npm account than previous versions on 2026-02-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.5
2 findingsThis version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.4
2 findingsThis version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.2
2 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.