Supply Chain

Our guarantee

Every critical vulnerability in any of our open-source dependencies is published here the moment Dependabot flags it. Package, advisory, and our patch status. In public.

The threat model

Most modern code is third-party code. A vulnerability in any transitive dependency can become a vulnerability in our verification pipeline. The integrity guarantee depends on every link in that chain holding.

How it’s enforced

GitHub Dependabot scans every one of our active repos daily against the GitHub Advisory Database. Critical-severity advisories surface to this page automatically; lower severities are triaged internally on a rolling basis.

How you verify

The live table below lists every open critical advisory across every active repo, linked directly to its GHSA entry on GitHub. The full report, including lower-severity issues, is available under NDA.

What you still trust

The GitHub Advisory Database's coverage, and the open-source maintainers we depend on. We pin versions and react to advisories as they appear, but we cannot prevent supply-chain attacks at their source.

Last checked: 21h ago

reclaim-js-sdkreclaim-logs-backendreclaim-inapp-sdkpopcornreclaim-portalattestor-corereclaim-sdk-backendreclaim-devtool-backendreclaim-teereclaim-tee-operator-flutter

JunJulAug

Monitoring started · May 8Aug 5

Today · Jun 24· 42 days ahead are placeholders for future runs

Checks run daily · 47 daily runs on record.

Has non-critical issues

Last checked: 6/23/2026

We scanned 10 repositories and found no critical vulnerabilities. We identified 69 high-severity and 61 lower-severity issues across our dependencies, primarily in WebSocket handling and Next.js middleware. Patches are in progress.