@xyo-network/chain-orchestration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to org account 'xyo' with 3589 approved packages; consistent with org-level publishing consolidation for xylabs packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Growth reflects legitimate refactor adding first-party @xyo-network modules, not injected foreign code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase consistent with adding 17 first-party deps and their source files in a monorepo refactor. | ai | |
| provenance | missing-githead | AI (provenance): High-volume trusted publisher; missing gitHead likely reflects CI pipeline change, not malicious publish. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-sdk | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-orchestration-storage | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-orchestration-evm | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@xyo-network/chain-services | AI (dependencies): Same-org monorepo sibling at matching version; stable false positive for this package. | ai |
Versions (showing 100 of 225)
| Version | Deps | Published |
|---|---|---|
| 1.15.14 | 15 / 6 | |
| 1.15.13 | 15 / 6 | |
| 1.15.12 | 15 / 6 | |
| 1.15.11 | 15 / 6 | |
| 1.15.10 | 15 / 6 | |
| 1.15.9 | 15 / 6 | |
| 1.15.8 | 15 / 6 | |
| 1.15.7 | 15 / 6 | |
| 1.15.6 | 15 / 6 | |
| 1.15.5 | 15 / 6 | |
| 1.15.4 | 15 / 6 | |
| 1.15.3 | 15 / 6 | |
| 1.15.2 | 15 / 6 | |
| 1.15.1 | 15 / 6 | |
| 1.15.0 | 15 / 6 | |
| 1.14.4 | 15 / 6 | |
| 1.14.3 | 15 / 6 | |
| 1.14.2 | 15 / 6 | |
| 1.14.1 | 15 / 6 | |
| 1.14.0 | 15 / 6 | |
| 1.13.0 | 15 / 6 | |
| 1.12.14 | 15 / 6 | |
| 1.12.13 | 15 / 6 | |
| 1.12.12 | 15 / 6 | |
| 1.12.11 | 15 / 6 | |
| 1.12.10 | 15 / 6 | |
| 1.12.9 | 15 / 6 | |
| 1.12.8 | 15 / 6 | |
| 1.12.7 | 15 / 6 | |
| 1.12.6 | 15 / 5 | |
| 1.12.5 | 15 / 5 | |
| 1.12.4 | 15 / 5 | |
| 1.12.3 | 15 / 5 | |
| 1.12.2 | 15 / 5 | |
| 1.12.1 | 15 / 5 | |
| 1.12.0 | 15 / 5 | |
| 1.11.0 | 15 / 5 | |
| 1.10.2 | 15 / 5 | |
| 1.10.1 | 15 / 5 | |
| 1.10.0 | 15 / 5 | |
| 1.9.0 | 15 / 6 | |
| 1.8.4 | 15 / 6 | |
| 1.8.3 | 15 / 6 | |
| 1.8.2 | 15 / 6 | |
| 1.8.1 | 15 / 6 | |
| 1.8.0 | 15 / 6 | |
| 1.7.20 | 15 / 6 | |
| 1.7.19 | 15 / 6 | |
| 1.7.18 | 15 / 6 | |
| 1.7.17 | 15 / 6 | |
| 1.7.16 | 15 / 6 | |
| 1.7.15 | 15 / 6 | |
| 1.7.14 | 15 / 6 | |
| 1.7.13 | 15 / 6 | |
| 1.7.12 | 15 / 6 | |
| 1.7.11 | 15 / 6 | |
| 1.7.10 | 15 / 6 | |
| 1.7.9 | 15 / 6 | |
| 1.7.8 | 15 / 6 | |
| 1.7.7 | 15 / 6 | |
| 1.7.6 | 15 / 6 | |
| 1.7.4 | 15 / 6 | |
| 1.7.1 | 14 / 6 | |
| 1.7.0 | 14 / 6 | |
| 1.6.6 | 14 / 6 | |
| 1.6.5 | 14 / 6 | |
| 1.6.4 | 14 / 6 | |
| 1.6.3 | 14 / 6 | |
| 1.6.2 | 14 / 6 | |
| 1.6.1 | 14 / 6 | |
| 1.6.0 | 14 / 6 | |
| 1.5.37 | 14 / 6 | |
| 1.5.36 | 14 / 6 | |
| 1.5.35 | 14 / 6 | |
| 1.5.34 | 14 / 6 | |
| 1.5.33 | 14 / 6 | |
| 1.5.32 | 14 / 6 | |
| 1.5.31 | 14 / 6 | |
| 1.5.30 | 14 / 6 | |
| 1.5.29 | 14 / 6 | |
| 1.5.28 | 14 / 6 | |
| 1.5.27 | 14 / 6 | |
| 1.5.26 | 14 / 6 | |
| 1.5.25 | 14 / 6 | |
| 1.5.24 | 14 / 6 | |
| 1.5.23 | 14 / 6 | |
| 1.5.22 | 14 / 6 | |
| 1.5.21 | 14 / 6 | |
| 1.5.20 | 14 / 6 | |
| 1.5.19 | 14 / 6 | |
| 1.5.18 | 14 / 6 | |
| 1.5.17 | 14 / 6 | |
| 1.5.16 | 14 / 6 | |
| 1.5.15 | 14 / 6 | |
| 1.5.14 | 14 / 6 | |
| 1.5.13 | 14 / 6 | |
| 1.5.12 | 14 / 6 | |
| 1.5.11 | 14 / 6 | |
| 1.5.10 | 14 / 6 | |
| 1.5.9 | 14 / 6 |
v1.15.14
2 findingsThis version was published by a different npm account than previous versions on 2025-10-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.10
2 findingsThis version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.9
2 findingsThis version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.6
2 findingsThis version was published by a different npm account than previous versions on 2025-10-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.4
2 findingsThis version was published by a different npm account than previous versions on 2025-10-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.2
2 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.1
2 findingsThis version was published by a different npm account than previous versions on 2025-09-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.2
2 findingsThis version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.1
2 findingsThis version was published by a different npm account than previous versions on 2025-08-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
2 findingsThis version was published by a different npm account than previous versions on 2025-08-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
2 findingsThis version was published by a different npm account than previous versions on 2025-08-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.6
2 findingsThis version was published by a different npm account than previous versions on 2025-08-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
2 findingsThis version was published by a different npm account than previous versions on 2025-08-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
2 findingsThis version was published by a different npm account than previous versions on 2025-08-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
2 findingsThis version was published by a different npm account than previous versions on 2025-08-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
2 findingsThis version was published by a different npm account than previous versions on 2025-07-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
2 findingsThis version was published by a different npm account than previous versions on 2025-07-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
2 findingsThis version was published by a different npm account than previous versions on 2025-07-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
2 findingsThis version was published by a different npm account than previous versions on 2025-07-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.20
2 findingsThis version was published by a different npm account than previous versions on 2025-07-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.19
2 findingsThis version was published by a different npm account than previous versions on 2025-07-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.18
2 findingsThis version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.17
2 findingsThis version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.16
2 findingsThis version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.15
2 findingsThis version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.14
2 findingsThis version was published by a different npm account than previous versions on 2025-07-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.13
2 findingsThis version was published by a different npm account than previous versions on 2025-07-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.12
2 findingsThis version was published by a different npm account than previous versions on 2025-07-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.11
2 findingsThis version was published by a different npm account than previous versions on 2025-07-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.10
2 findingsThis version was published by a different npm account than previous versions on 2025-07-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.9
2 findingsThis version was published by a different npm account than previous versions on 2025-07-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.7
2 findingsThis version was published by a different npm account than previous versions on 2025-07-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.6
2 findingsThis version was published by a different npm account than previous versions on 2025-07-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
2 findingsThis version was published by a different npm account than previous versions on 2025-07-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.32
2 findingsThis version was published by a different npm account than previous versions on 2025-06-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.31
2 findingsThis version was published by a different npm account than previous versions on 2025-06-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.30
2 findingsThis version was published by a different npm account than previous versions on 2025-06-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.18
2 findingsThis version was published by a different npm account than previous versions on 2025-06-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.17
2 findingsThis version was published by a different npm account than previous versions on 2025-06-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.15
2 findingsThis version was published by a different npm account than previous versions on 2025-06-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.14
2 findingsThis version was published by a different npm account than previous versions on 2025-06-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.13
2 findingsThis version was published by a different npm account than previous versions on 2025-06-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.