peerbit
Peerbit client
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@sqlite.org/sqlite-wasm | AI (dependencies): Official SQLite WASM package from sqlite.org; expected dependency for browser-side indexer in this p2p database client. | ai | |
| provenance | no-provenance | AI (provenance): Established package; no provenance is consistent across all prior versions. | ai | |
| phantom-deps | phantom-dep:memory-level | AI (phantom-deps): Peer/optional dep for in-memory storage; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@peerbit/time | AI (phantom-deps): Own-ecosystem dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@dao-xyz/borsh | AI (phantom-deps): Own-ecosystem dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@peerbit/build-assets | AI (phantom-deps): Build tooling dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:level | AI (phantom-deps): level is a peer/optional runtime dep re-exported by datastore-level; not directly imported but legitimately declared. | ai | |
| phantom-deps | phantom-dep:@peerbit/indexer-simple | AI (phantom-deps): Own-ecosystem dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@sqlite.org/sqlite-wasm | AI (phantom-deps): Platform-specific WASM binary; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@peerbit/stream-interface | AI (phantom-deps): Own-ecosystem dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@peerbit/any-store-opfs | AI (phantom-deps): Browser-specific dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:p-queue | AI (phantom-deps): Utility dep used transitively; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 5.2.20 | 35 / 5 | |
| 5.2.19 | 35 / 5 | |
| 5.2.18 | 35 / 5 | |
| 5.2.17 | 35 / 5 | |
| 5.2.16 | 35 / 5 | |
| 5.2.15 | 35 / 5 | |
| 5.2.14 | 35 / 5 | |
| 5.2.13 | 35 / 5 | |
| 5.2.12 | 35 / 5 | |
| 5.2.11 | 35 / 5 | |
| 5.2.9 | 35 / 5 | |
| 5.2.8 | 35 / 5 | |
| 5.2.3 | 35 / 5 | |
| 5.2.2 | 35 / 5 | |
| 5.2.1 | 35 / 5 | |
| 5.2.0 | 35 / 5 | |
| 5.1.0 | 35 / 5 | |
| 5.0.10 | 35 / 5 | |
| 5.0.9 | 35 / 5 | |
| 5.0.8 | 35 / 5 | |
| 5.0.7 | 35 / 5 | |
| 5.0.3 | 35 / 5 | |
| 5.0.2 | 35 / 5 | |
| 4.4.19 | 35 / 5 | |
| 4.4.17 | 35 / 5 | |
| 4.4.15 | 35 / 5 | |
| 4.4.12 | 35 / 5 | |
| 4.4.7 | 35 / 5 | |
| 4.4.6 | 35 / 5 | |
| 4.4.5 | 35 / 5 | |
| 4.4.4 | 35 / 5 |
v5.2.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.