dht-rpc — Greenflagged

Make RPC calls over a Kademlia based DHT

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mafintoshlejeunerenard

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): holepunchto org migrated to GitHub Actions CI publishing with SLSA attestation; stable pattern for this package.	ai	2026/05/20
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy explained by org-level CI migration; SLSA attestation confirms legitimate publish pipeline.	ai	2026/05/20
phantom-deps	phantom-dep:compact-encoding-net	AI (phantom-deps): Used via package.json imports map conditional; not directly imported in JS but legitimately declared.	ai	2026/05/20
dependencies	unvetted-dep:udx-native	AI (dependencies): udx-native is the UDP transport layer for holepunchto ecosystem; expected dependency.	ai	2026/04/29
dependencies	unvetted-dep:nat-sampler	AI (dependencies): nat-sampler is a holepunchto utility for NAT traversal; expected for DHT-RPC.	ai	2026/04/29
dependencies	unvetted-dep:adaptive-timeout	AI (dependencies): adaptive-timeout is a holepunchto utility; stable expected dependency.	ai	2026/04/29
phantom-deps	phantom-dep:bare-events	AI (phantom-deps): bare-events is intentionally used via package.json imports map for Bare runtime; not a direct import by design.	ai	2026/04/29
dependencies	unvetted-dep:compact-encoding-net	AI (dependencies): compact-encoding-net is a holepunchto encoding utility; expected dependency.	ai	2026/04/29
dependencies	unvetted-dep:kademlia-routing-table	AI (dependencies): kademlia-routing-table is a core holepunchto DHT component; expected dependency.	ai	2026/04/29
dependencies	unvetted-dep:time-ordered-set	AI (dependencies): time-ordered-set is a holepunchto data structure utility; expected dependency.	ai	2026/04/29
dependencies	unvetted-dep:b4a	AI (dependencies): b4a is a well-known holepunchto utility; stable dependency for this package.	ai	2026/04/29
dependencies	unvetted-dep:streamx	AI (dependencies): streamx is a core holepunchto streaming library; expected dependency.	ai	2026/04/29

Versions (showing 21 of 21)

Version	Deps	Published
6.27.0	12 / 5	2026-05-05
6.26.4	12 / 5	2026-04-13
6.26.3	12 / 5	2026-02-20
6.26.2	12 / 5	2026-02-18
6.26.1	12 / 5	2026-02-13
6.26.0	12 / 5	2026-02-10
6.25.1	12 / 5	2026-02-10
6.25.0	12 / 5	2026-02-09
6.24.3	12 / 5	2026-02-06
6.24.2	12 / 5	2026-01-16
6.24.1	12 / 5	2026-01-16
6.24.0	12 / 5	2026-01-16
6.23.2	11 / 5	2026-01-11
6.23.1	11 / 5	2026-01-05
6.23.0	11 / 5	2026-01-05
6.22.0	11 / 5	2025-12-29
6.21.0	11 / 5	2025-12-29
6.20.2	11 / 5	2025-12-16
6.20.1	11 / 4	2025-10-07
6.20.0	11 / 4	2025-10-07
6.19.0	11 / 4	2025-10-07

v6.27.0

2 findings

HIGH Publisher changed: lejeunerenard → GitHub Actions (on 2026-05-05) provenance

This version was published by a different npm account than previous versions on 2026-05-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.