near-sandbox
CLI tool for testing NEAR smart contracts
4
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
frolsirwillemchaotictempest
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Official NEAR sandbox binary fetcher; stable pattern across all versions of this package. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Cleanup of prior sandbox binary installation; stable pattern across all versions of this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.3.0 | 5 / 20 | |
| 0.2.1 | 6 / 19 | |
| 0.2.0 | 6 / 17 | |
| 0.1.5 | 2 / 10 |
v0.3.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
3 findings
HIGH
Package has 'preinstall' script
install-scripts
Script: node ./uninstall.js
HIGH
Package has 'postinstall' script
install-scripts
Script: node ./install.js
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.