@xyo-network/chain-services
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@xyo-network/chain-modules | AI (dependencies): Same-org monorepo sibling dependency; consistent with the package's established publishing pattern. | ai | |
| provenance | missing-githead | AI (provenance): High-volume xyo publisher with strong track record; likely CI environment change, not a supply chain indicator. | ai | |
| provenance | no-provenance | AI (provenance): Established xyo-network monorepo; provenance not used across the ecosystem. | ai |
Versions (showing 51 of 106)
| Version | Deps | Published |
|---|---|---|
| 2.0.1 | 4 / 62 | |
| 2.0.0 | 4 / 62 | |
| 1.23.2 | 4 / 62 | |
| 1.20.29 | 4 / 65 | |
| 1.20.28 | 4 / 65 | |
| 1.20.27 | 4 / 66 | |
| 1.20.21 | 8 / 66 | |
| 1.20.18 | 8 / 66 | |
| 1.20.9 | 7 / 14 | |
| 1.20.8 | 7 / 14 | |
| 1.20.1 | 6 / 21 | |
| 1.20.0 | 6 / 21 | |
| 1.19.1 | 19 / 17 | |
| 1.19.0 | 19 / 17 | |
| 1.18.5 | 19 / 17 | |
| 1.18.4 | 19 / 17 | |
| 1.18.2 | 19 / 17 | |
| 1.18.0 | 22 / 17 | |
| 1.17.7 | 24 / 17 | |
| 1.17.6 | 24 / 17 | |
| 1.17.2 | 25 / 17 | |
| 1.17.1 | 25 / 17 | |
| 1.17.0 | 24 / 15 | |
| 1.16.26 | 24 / 15 | |
| 1.16.25 | 24 / 15 | |
| 1.16.20 | 23 / 15 | |
| 1.16.19 | 23 / 15 | |
| 1.16.16 | 23 / 15 | |
| 1.16.15 | 23 / 15 | |
| 1.16.14 | 23 / 15 | |
| 1.16.13 | 23 / 15 | |
| 1.16.10 | 33 / 15 | |
| 1.16.9 | 33 / 15 | |
| 1.16.8 | 32 / 15 | |
| 1.16.7 | 32 / 15 | |
| 1.16.5 | 32 / 15 | |
| 1.16.4 | 32 / 15 | |
| 1.16.3 | 32 / 15 | |
| 1.15.28 | 32 / 15 | |
| 1.15.27 | 32 / 15 | |
| 1.15.26 | 32 / 15 | |
| 1.15.24 | 32 / 15 | |
| 1.15.23 | 32 / 15 | |
| 1.15.22 | 32 / 15 | |
| 1.15.19 | 32 / 15 | |
| 1.15.18 | 32 / 15 | |
| 1.15.17 | 32 / 15 | |
| 1.15.15 | 32 / 15 | |
| 1.15.14 | 32 / 15 | |
| 1.15.8 | 32 / 15 | |
| 1.15.7 | 32 / 15 |
v2.0.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.29
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.28
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.27
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.21
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.18
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: xyo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.