← Home

starknet

npm Repository Homepage
7
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

tonitabakbbrandtom

Keywords

starknetcairostarkwarel2zkrollup

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata url-dep:starknet_specs AI (npm-metadata): devDependency only; pinned GitHub tag from official starkware-libs org; no runtime impact. ai
npm-metadata url-dep:starknet_specs_08 AI (npm-metadata): devDependency only; pinned GitHub tag from official starkware-libs org; no runtime impact. ai
dependencies unvetted-dep:@starknet-io/starknet-types-08 AI (dependencies): Type-only package from official starknet-io org; stable pattern for this package. ai
dependencies unvetted-dep:@starknet-io/starknet-types-0101 AI (dependencies): First-party starknet-io type definitions added in this version; stable false positive. ai
dependencies unvetted-dep:abi-wan-kanabi AI (dependencies): Known StarkNet ABI utility; stable dep for this package. ai
dependencies unvetted-dep:@starknet-io/get-starknet-wallet-standard AI (dependencies): First-party @starknet-io wallet standard package; stable for this package. ai
dependencies unvetted-dep:@scure/starknet AI (dependencies): Paul Miller's @scure cryptography library; well-known and audited. ai
dependencies unvetted-dep:@starknet-io/starknet-types-09 AI (dependencies): First-party @starknet-io types package; stable for this package. ai
dependencies unvetted-dep:@starknet-io/starknet-types-010 AI (dependencies): First-party @starknet-io types package; stable for this package. ai

Versions (showing 7 of 7)

Version Deps Published
10.0.2 9 / 44
10.0.1 9 / 44
10.0.0 9 / 44
9.4.2 11 / 45
9.0.0 10 / 45
8.9.2 10 / 45
8.7.0 10 / 45

v10.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.9.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.7.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.