Supply Chain

Our guarantee

Every critical vulnerability in any of our open-source dependencies is published here the moment Dependabot flags it. Package, advisory, and our patch status. In public.

The threat model

Most modern code is third-party code. A vulnerability in any transitive dependency can become a vulnerability in our verification pipeline. The integrity guarantee depends on every link in that chain holding.

How it’s enforced

GitHub Dependabot scans every one of our active repos daily against the GitHub Advisory Database. Critical-severity advisories surface to this page automatically; lower severities are triaged internally on a rolling basis.

How you verify

The live table below lists every open critical advisory across every active repo, linked directly to its GHSA entry on GitHub. The full report, including lower-severity issues, is available under NDA.

What you still trust

The GitHub Advisory Database's coverage, and the open-source maintainers we depend on. We pin versions and react to advisories as they appear, but we cannot prevent supply-chain attacks at their source.

Last checked: 7h ago

reclaim-js-sdkreclaim-logs-backendreclaim-inapp-sdkpopcornreclaim-portalattestor-corereclaim-sdk-backendreclaim-devtool-backendreclaim-teereclaim-tee-operator-flutter

JunJulAug

Monitoring started · May 8Aug 5

Today · Jun 17· 49 days ahead are placeholders for future runs

Checks run daily · 41 daily runs on record.

Has non-critical issues

Last checked: 6/17/2026

We scanned 10 repositories and found no critical vulnerabilities. We identified 68 warnings and 62 minor issues across our dependencies. Our team is actively addressing high-priority items including build tool integrity, routing security, and request handling. Patches are in p…