helia
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): IPFS org migrated from npm-service-account-ipfs to GitHub Actions CI publishing; SLSA provenance attestation confirms the release originates from the official ipfs/helia repo. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long dormancy reflects IPFS ecosystem restructuring; SLSA provenance and official org repo confirm legitimate resumption of publishing activity. | ai | |
| dependencies | unvetted-dep:@helia/utils | AI (dependencies): Official helia utility package from the same org; expected dependency. | ai | |
| dependencies | unvetted-dep:@libp2p/http | AI (dependencies): Official libp2p HTTP transport; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/ping | AI (dependencies): Official libp2p ping protocol; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/dcutr | AI (dependencies): Official libp2p DCUtR protocol; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@helia/routers | AI (dependencies): Official helia routers package from the same org; expected dependency. | ai | |
| dependencies | unvetted-dep:@libp2p/config | AI (dependencies): Official libp2p config package; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/webrtc | AI (dependencies): Official libp2p WebRTC transport; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/autonat | AI (dependencies): Official libp2p AutoNAT protocol; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/kad-dht | AI (dependencies): Official libp2p Kademlia DHT; expected dependency for an IPFS implementation. | ai | |
| dependencies | unvetted-dep:ipns | AI (dependencies): ipns is a legitimate IPFS ecosystem package; expected dependency for an IPFS implementation. | ai | |
| dependencies | unvetted-dep:@helia/interface | AI (dependencies): Official helia interface package from the same org; expected dependency. | ai | |
| dependencies | unvetted-dep:@libp2p/keychain | AI (dependencies): Official libp2p keychain package; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/upnp-nat | AI (dependencies): Official libp2p UPnP NAT package; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/websockets | AI (dependencies): Official libp2p WebSockets transport; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@helia/block-brokers | AI (dependencies): Official helia block brokers package from the same org; expected dependency. | ai | |
| dependencies | unvetted-dep:@chainsafe/libp2p-yamux | AI (dependencies): ChainSafe's libp2p yamux multiplexer; well-known, expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/circuit-relay-v2 | AI (dependencies): Official libp2p circuit relay v2; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@ipshipyard/libp2p-auto-tls | AI (dependencies): IPShipyard auto-TLS package for libp2p; expected dependency for helia networking. | ai | |
| dependencies | unvetted-dep:blockstore-core | AI (dependencies): Core IPFS blockstore package; expected dependency for helia. | ai | |
| dependencies | unvetted-dep:@libp2p/tls | AI (dependencies): Official libp2p TLS transport; expected dependency for helia. | ai |
Versions (showing 28 of 28)
| Version | Deps | Published |
|---|---|---|
| 6.1.4 | 33 / 5 | |
| 6.1.3 | 33 / 5 | |
| 6.1.2 | 33 / 5 | |
| 6.1.1 | 33 / 5 | |
| 6.1.0 | 33 / 5 | |
| 6.0.22 | 33 / 5 | |
| 6.0.21 | 33 / 5 | |
| 6.0.20 | 33 / 5 | |
| 6.0.19 | 33 / 5 | |
| 6.0.18 | 33 / 5 | |
| 6.0.17 | 33 / 5 | |
| 6.0.16 | 33 / 5 | |
| 6.0.15 | 33 / 5 | |
| 6.0.14 | 33 / 5 | |
| 6.0.13 | 33 / 5 | |
| 6.0.12 | 33 / 5 | |
| 6.0.11 | 33 / 5 | |
| 6.0.10 | 33 / 5 | |
| 6.0.9 | 33 / 5 | |
| 6.0.8 | 33 / 5 | |
| 6.0.7 | 33 / 5 | |
| 6.0.6 | 33 / 5 | |
| 6.0.5 | 33 / 5 | |
| 6.0.4 | 33 / 5 | |
| 6.0.3 | 33 / 5 | |
| 6.0.2 | 33 / 5 | |
| 6.0.1 | 33 / 5 | |
| 6.0.0 | 33 / 5 |
v6.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.