hyperdht — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mafintoshlejeunerenardandrewosh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): holepunchto org uses GitHub Actions for publishing; SLSA attestation confirms CI-based release pipeline.	ai	2026/05/03
publish-pattern	dormant-publish	AI (publish-pattern): SLSA provenance attestation and no code changes confirm legitimate release despite dormancy gap.	ai	2026/05/03
dependencies	unvetted-dep:xache	AI (dependencies): Known Holepunch ecosystem cache library; stable dependency.	ai	2026/04/29
dependencies	unvetted-dep:dht-rpc	AI (dependencies): Core DHT-RPC layer for hyperdht; stable Holepunch ecosystem dependency.	ai	2026/04/29
dependencies	unvetted-dep:streamx	AI (dependencies): Well-known Holepunch streams library; stable dependency across versions.	ai	2026/04/29
dependencies	unvetted-dep:b4a	AI (dependencies): Known Holepunch ecosystem utility; stable dependency across hyperdht versions.	ai	2026/04/29
dependencies	unvetted-dep:hyperdht-address	AI (dependencies): Holepunch address utility; stable dependency for hyperdht.	ai	2026/04/29
phantom-deps	phantom-dep:streamx	AI (phantom-deps): streamx is used via conditional imports pattern; phantom-dep is a false positive here.	ai	2026/04/29
phantom-deps	phantom-dep:bare-events	AI (phantom-deps): bare-events is referenced via package.json imports map for Bare runtime; not a direct import by design.	ai	2026/04/29
dependencies	unvetted-dep:blind-relay	AI (dependencies): Holepunch relay library; stable dependency for hyperdht.	ai	2026/04/29
dependencies	unvetted-dep:bogon	AI (dependencies): Known Holepunch ecosystem utility for IP classification; stable dependency.	ai	2026/04/29

Versions (showing 6 of 6)

Version	Deps	Published
6.32.0	19 / 6	2026-05-05
6.31.0	19 / 6	2026-04-30
6.30.0	19 / 6	2026-04-13
6.29.3	19 / 6	2026-03-17
6.28.0	19 / 6	2025-12-29
6.27.1	19 / 6	2025-11-28

v6.32.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.31.0

2 findings

HIGH Publisher changed: lejeunerenard → GitHub Actions (on 2026-04-30) provenance

This version was published by a different npm account than previous versions on 2026-04-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.29.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.28.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.27.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.