udx-native
udx is reliable, multiplexed, and congestion-controlled streams over udp
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Org transition to CI publishing; corroborated by SLSA attestation. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher moved to GitHub Actions CI/CD with SLSA provenance; stable for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy resolved by SLSA-attested CI publish from known org repo. | ai | |
| dependencies | unvetted-dep:streamx | AI (dependencies): streamx is a core Holepunch streaming library; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:b4a | AI (dependencies): b4a is a well-known Holepunch utility used across the ecosystem; stable dependency for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Native addon package; prebuilt binaries for multiple platforms/runtimes are the documented distribution mechanism. | ai | |
| phantom-deps | phantom-dep:bare-events | AI (phantom-deps): bare-events is used via package.json imports map conditional, not a direct require — phantom-dep heuristic is a false positive here. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.20.6 | 4 / 10 | |
| 1.20.5 | 4 / 10 | |
| 1.20.4 | 4 / 10 | |
| 1.20.3 | 4 / 10 | |
| 1.20.2 | 4 / 10 | |
| 1.20.1 | 4 / 10 | |
| 1.20.0 | 4 / 10 | |
| 1.19.2 | 4 / 9 | |
| 1.19.1 | 4 / 8 | |
| 1.19.0 | 4 / 8 | |
| 1.18.3 | 4 / 8 | |
| 1.18.2 | 4 / 8 | |
| 1.18.1 | 4 / 8 | |
| 1.18.0 | 4 / 8 |
v1.20.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.20.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.20.4
2 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.20.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.