@xyo-network/xl1-cli
XYO Layer One CLI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:msgpackr-extract | AI (phantom-deps): Peer/optional native dep for lmdb; not directly imported but legitimately declared for runtime use. | ai | |
| source-diff | encoded-string-file:dist/cli-min.mjs | AI (source-diff): Rollup-minified CLI bundle; long encoded strings are standard bundler output for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/resources | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/sdk-metrics | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/host-metrics | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/sdk-trace-base | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/instrumentation | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/context-async-hooks | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/exporter-prometheus | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/instrumentation-http | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Build tool and peer dependency; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/instrumentation-express | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/exporter-trace-otlp-grpc | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/exporter-trace-otlp-http | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/instrumentation-runtime-node | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/semantic-conventions | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/core | AI (phantom-deps): Instrumentation framework; used dynamically; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/api | AI (phantom-deps): Config-referenced optional instrumentation; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:mongodb | AI (phantom-deps): Config-referenced optional storage backend; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:lmdb | AI (phantom-deps): Config-referenced optional storage backend; stable pattern for this package. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.23.0 | 19 / 116 | |
| 1.22.0 | 20 / 120 | |
| 1.16.5 | 17 / 39 | |
| 1.16.4 | 17 / 39 | |
| 1.16.3 | 17 / 39 | |
| 1.15.25 | 17 / 39 | |
| 1.15.21 | 17 / 39 | |
| 1.15.20 | 17 / 39 | |
| 1.15.16 | 17 / 39 | |
| 1.15.13 | 17 / 39 | |
| 1.15.12 | 17 / 39 | |
| 1.15.11 | 17 / 39 | |
| 1.15.10 | 17 / 39 | |
| 1.15.9 | 17 / 39 | |
| 1.15.6 | 17 / 39 | |
| 1.15.0 | 17 / 39 | |
| 1.14.2 | 17 / 39 | |
| 1.14.1 | 17 / 39 | |
| 1.14.0 | 2 / 40 | |
| 1.12.6 | 2 / 38 | |
| 1.12.0 | 1 / 48 | |
| 1.11.0 | 1 / 48 | |
| 1.10.0 | 1 / 48 | |
| 1.9.0 | 1 / 48 | |
| 1.8.1 | 1 / 48 | |
| 1.8.0 | 1 / 48 | |
| 1.7.11 | 1 / 48 | |
| 1.7.10 | 1 / 48 | |
| 1.7.9 | 1 / 48 | |
| 1.7.7 | 1 / 48 | |
| 1.7.6 | 1 / 48 |
v1.23.0
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Modified file contains 18 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atrouw) than the most recent previously approved version (jonesmac) on 2026-05-12, but atrouw is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.25
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.21
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.20
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.16
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.13
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.12
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.11
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.10
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.9
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.6
2 findingsModified file contains 19 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
2 findingsModified file contains 18 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.2
2 findingsModified file contains 18 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.1
2 findingsModified file contains 17 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
2 findingsModified file contains 17 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.6
2 findingsModified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
2 findingsModified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
2 findingsModified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
2 findingsModified file contains 14 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
2 findingsModified file contains 14 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
2 findingsModified file contains 14 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsModified file contains 14 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.11
2 findingsModified file contains 14 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.10
2 findingsModified file contains 14 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.9
2 findingsModified file contains 14 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.