mppx
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | no-description | AI (npm-metadata): Private workspace package; missing description is expected and not a malice indicator here. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are test sources; package has SLSA provenance and strong ecosystem trust. | ai | |
| source-diff | encoded-string-file:src/tempo/server/Charge.test.ts | AI (source-diff): Long hex string is a test fixture (fake EIP-1559 tx) in a test file, not a malicious payload. | ai | |
| dependencies | unvetted-dep:ox | AI (dependencies): ox is a well-known Ethereum primitives library from the wevm org (same team as viem/mppx); its use is expected and appropriate for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread occurs in test files (cli.test.ts) to pass environment to subprocesses — standard test pattern, not credential exfiltration. | ai | |
| typosquat | typosquat.levenshtein:mobx | AI (typosquat): mppx is the package's own brand name (part of @mppx/* monorepo with 59 versions), not a typosquat of mobx. | ai | |
| semgrep | semgrep:shady-links-tlds | AI (semgrep): rpc.tempo.xyz is a legitimate blockchain RPC endpoint; .xyz TLD is standard in Web3 projects. Appears in test assertions. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP 127.0.0.1 is localhost used in integration tests for local test server setup — completely benign. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.6.31 | 3 / 0 | |
| 0.6.30 | 3 / 0 | |
| 0.6.29 | 3 / 0 | |
| 0.6.26 | 3 / 0 | |
| 0.6.25 | 3 / 0 | |
| 0.6.24 | 3 / 0 | |
| 0.6.23 | 3 / 0 | |
| 0.6.22 | 3 / 0 | |
| 0.6.21 | 3 / 0 | |
| 0.6.20 | 3 / 0 | |
| 0.6.19 | 3 / 0 | |
| 0.6.10 | 3 / 0 | |
| 0.6.9 | 3 / 0 | |
| 0.6.8 | 3 / 0 | |
| 0.6.7 | 3 / 0 | |
| 0.6.6 | 3 / 0 | |
| 0.6.5 | 3 / 0 | |
| 0.6.3 | 3 / 0 | |
| 0.6.2 | 3 / 0 | |
| 0.6.1 | 3 / 0 | |
| 0.5.13 | 3 / 0 | |
| 0.5.11 | 3 / 0 | |
| 0.5.10 | 3 / 0 | |
| 0.5.9 | 5 / 0 | |
| 0.5.8 | 5 / 0 | |
| 0.5.7 | 5 / 0 | |
| 0.5.6 | 5 / 0 | |
| 0.5.5 | 5 / 0 | |
| 0.5.4 | 5 / 0 | |
| 0.5.1 | 5 / 0 | |
| 0.5.0 | 5 / 0 | |
| 0.4.12 | 5 / 0 | |
| 0.4.11 | 5 / 0 |
v0.6.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.6
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.