@bitgo/passkey-crypto
Pure cryptographic primitives for BitGo passkey (WebAuthn PRF) key derivation
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | no-description | AI (npm-metadata): Name-reservation placeholder; missing description is expected at v0.0.1 for @bitgo scope. | ai | |
| provenance | no-provenance | AI (provenance): Common for @bitgo packages published by bitgobot. | ai | |
| source-diff | obfuscated-file:dist/test/unit/base64url.test.js | AI (source-diff): Inline source map in compiled test file; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/derivePasskeyPrfKey.js | AI (source-diff): Inline source map in compiled source file; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/derivePasskeyPrfKey.test.js | AI (source-diff): Inline source map in compiled test file; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/integration/helpers/mockBitGo.js | AI (source-diff): Inline source map in compiled integration helper; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/integration/helpers/mockProvider.js | AI (source-diff): Inline source map in compiled integration helper; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/attachPasskeyToWallet.js | AI (source-diff): Long lines are inline source maps (base64 sourceMappingURL), not obfuscation. Standard TS compile output. | ai | |
| source-diff | obfuscated-file:dist/src/registerPasskey.js | AI (source-diff): Inline source map in compiled source file; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/registerPasskey.test.js | AI (source-diff): Inline source map in compiled test file; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/removePasskeyFromAccount.test.js | AI (source-diff): Inline source map in compiled test file; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/removePasskeyFromWallet.test.js | AI (source-diff): Inline source map in compiled test file; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/integration/passkeyLifecycle.test.js | AI (source-diff): Inline source map in compiled integration test; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/attachPasskeyToWallet.test.js | AI (source-diff): Inline source map in compiled test file; not obfuscation. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 0.4.4 | 2 / 2 | |
| 0.4.3 | 2 / 2 | |
| 0.4.2 | 2 / 2 | |
| 0.4.1 | 2 / 2 | |
| 0.4.0 | 2 / 2 | |
| 0.3.1 | 2 / 2 | |
| 0.3.0 | 2 / 2 | |
| 0.2.0 | 2 / 1 | |
| 0.0.1 | 0 / 0 |
v0.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.