@xyo-network/xl1-protocol
XYO Layer One Protocol - All Protocol Packages
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): atrouw is a known maintainer matched by email; large approved track record confirms legitimacy. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): xyo removed as part of routine maintainer rotation within the same org; no takeover indicators. | ai | |
| provenance | publisher-changed | AI (provenance): joelbcarter is an established publisher (1813 approved) in the same org; transition appears legitimate. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard ArrayBuffer utility using Buffer.from for base64 decoding; not obfuscation. | ai | |
| dependencies | unvetted-dep:@xyo-network/module-events | AI (dependencies): Sibling package within the same @xyo-network org; stable false positive for this package family. | ai | |
| bogus-package | bogus-package | AI (bogus-package): XYO Network org consistently uses link-dump READMEs and omits keywords; not indicative of spam or phishing for this publisher. | ai | |
| provenance | no-provenance | AI (provenance): Established org package with strong publisher track record; provenance gap is a process concern, not a security block. | ai |
Versions (showing 100 of 463)
| Version | Deps | Published |
|---|---|---|
| 1.12.108 | 14 / 16 | |
| 1.12.107 | 14 / 16 | |
| 1.12.106 | 14 / 16 | |
| 1.12.105 | 14 / 16 | |
| 1.12.104 | 14 / 16 | |
| 1.12.103 | 14 / 16 | |
| 1.12.102 | 14 / 16 | |
| 1.12.101 | 14 / 16 | |
| 1.12.100 | 14 / 16 | |
| 1.12.99 | 14 / 16 | |
| 1.12.98 | 14 / 16 | |
| 1.12.97 | 14 / 16 | |
| 1.12.95 | 14 / 16 | |
| 1.12.94 | 14 / 16 | |
| 1.12.93 | 14 / 16 | |
| 1.12.92 | 14 / 16 | |
| 1.12.91 | 14 / 16 | |
| 1.12.90 | 14 / 16 | |
| 1.12.89 | 14 / 16 | |
| 1.12.88 | 14 / 16 | |
| 1.12.87 | 14 / 16 | |
| 1.12.86 | 14 / 16 | |
| 1.12.85 | 14 / 16 | |
| 1.12.84 | 14 / 16 | |
| 1.12.83 | 14 / 16 | |
| 1.12.82 | 14 / 16 | |
| 1.12.81 | 14 / 16 | |
| 1.12.80 | 14 / 16 | |
| 1.12.79 | 14 / 16 | |
| 1.12.78 | 14 / 16 | |
| 1.12.77 | 14 / 16 | |
| 1.12.76 | 14 / 16 | |
| 1.12.75 | 14 / 16 | |
| 1.12.74 | 14 / 16 | |
| 1.12.73 | 14 / 16 | |
| 1.12.72 | 14 / 16 | |
| 1.12.71 | 14 / 16 | |
| 1.12.70 | 14 / 16 | |
| 1.12.69 | 14 / 16 | |
| 1.12.68 | 14 / 16 | |
| 1.12.67 | 14 / 16 | |
| 1.12.66 | 14 / 16 | |
| 1.12.65 | 14 / 16 | |
| 1.12.64 | 14 / 16 | |
| 1.12.63 | 14 / 16 | |
| 1.12.62 | 14 / 16 | |
| 1.12.61 | 14 / 16 | |
| 1.12.60 | 14 / 16 | |
| 1.12.59 | 14 / 16 | |
| 1.12.58 | 14 / 16 | |
| 1.12.57 | 14 / 16 | |
| 1.12.56 | 14 / 16 | |
| 1.12.55 | 14 / 16 | |
| 1.12.54 | 14 / 16 | |
| 1.12.53 | 14 / 16 | |
| 1.12.52 | 14 / 16 | |
| 1.12.51 | 14 / 16 | |
| 1.12.50 | 14 / 16 | |
| 1.12.49 | 14 / 16 | |
| 1.12.48 | 14 / 16 | |
| 1.12.47 | 14 / 16 | |
| 1.12.46 | 14 / 16 | |
| 1.12.45 | 14 / 16 | |
| 1.12.44 | 14 / 16 | |
| 1.12.43 | 14 / 16 | |
| 1.12.42 | 14 / 16 | |
| 1.12.41 | 14 / 16 | |
| 1.12.40 | 14 / 16 | |
| 1.12.39 | 13 / 16 | |
| 1.12.37 | 13 / 16 | |
| 1.12.36 | 13 / 16 | |
| 1.12.35 | 13 / 16 | |
| 1.12.34 | 13 / 16 | |
| 1.12.33 | 13 / 16 | |
| 1.12.32 | 13 / 16 | |
| 1.12.31 | 13 / 16 | |
| 1.12.30 | 13 / 16 | |
| 1.12.29 | 13 / 16 | |
| 1.12.28 | 13 / 16 | |
| 1.12.27 | 13 / 16 | |
| 1.12.26 | 13 / 16 | |
| 1.12.25 | 13 / 16 | |
| 1.12.24 | 13 / 16 | |
| 1.12.23 | 13 / 16 | |
| 1.12.22 | 13 / 16 | |
| 1.12.21 | 13 / 16 | |
| 1.12.20 | 13 / 16 | |
| 1.12.19 | 13 / 16 | |
| 1.12.18 | 13 / 16 | |
| 1.12.17 | 13 / 16 | |
| 1.12.16 | 13 / 16 | |
| 1.12.15 | 13 / 16 | |
| 1.12.14 | 13 / 16 | |
| 1.12.13 | 13 / 16 | |
| 1.12.12 | 13 / 16 | |
| 1.12.11 | 14 / 16 | |
| 1.12.10 | 14 / 16 | |
| 1.12.9 | 14 / 16 | |
| 1.12.8 | 14 / 16 | |
| 1.12.7 | 14 / 16 |
v1.12.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.107
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.103
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.102
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.100
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.99
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.98
2 findingsThis version was published by a different npm account than previous versions on 2025-11-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.97
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.95
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.94
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.93
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.92
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.91
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.90
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.89
2 findingsThis version was published by a different npm account than previous versions on 2025-10-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.88
2 findingsThis version was published by a different npm account than previous versions on 2025-10-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.87
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.86
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.85
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.84
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.83
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.82
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.81
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.80
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.79
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.78
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.77
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.76
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.75
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.74
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.73
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.67
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.65
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.59
2 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.58
2 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.56
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.54
2 findingsThis version was published by a different npm account than previous versions on 2025-10-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.53
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.52
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.51
2 findingsThis version was published by a different npm account than previous versions on 2025-10-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.50
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.49
2 findingsThis version was published by a different npm account than previous versions on 2025-10-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.48
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.47
2 findingsThis version was published by a different npm account than previous versions on 2025-10-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.39
2 findingsThis version was published by a different npm account than previous versions on 2025-09-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.35
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.34
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.22
2 findingsThis version was published by a different npm account than previous versions on 2025-09-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.21
2 findingsThis version was published by a different npm account than previous versions on 2025-09-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.20
2 findingsThis version was published by a different npm account than previous versions on 2025-09-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.19
2 findingsThis version was published by a different npm account than previous versions on 2025-09-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.18
2 findingsThis version was published by a different npm account than previous versions on 2025-09-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.17
2 findingsThis version was published by a different npm account than previous versions on 2025-09-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.