@bitgo/sdk-coin-algo
BitGo SDK coin library for Algorand
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/test/fixtures/resources.d.ts | AI (source-diff): TypeScript declaration file mirroring the same Algorand test fixture hex strings; benign. | ai | |
| source-diff | encoded-string-file:dist/test/fixtures/resources.js | AI (source-diff): Long hex strings are Algorand transaction test fixtures (msgpack-encoded txns), not obfuscated payloads. | ai | |
| provenance | publisher-changed | AI (provenance): BitGo migrated publishing to GitHub Actions CI/CD; SLSA attestation confirms integrity. Stable pattern for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): louib-bitgo is a BitGo org account; addition consistent with normal team maintenance of the BitGoJS monorepo. | ai | |
| source-diff | obfuscated-file:dist/test/fixtures/resources.js | AI (source-diff): TypeScript-compiled test fixtures; long lines are inline test data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/algoIsWalletAddress.js | AI (source-diff): TypeScript-compiled test file; long lines are test case arrays. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/keyRegistrationBuilder.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/keyPair.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/base.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/utils.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/algoToken.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/integration/algo.integration.js | AI (source-diff): TypeScript-compiled test file; long lines are test data arrays, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/fixtures/algo.js | AI (source-diff): TypeScript-compiled test fixtures; long lines are inline test data objects. | ai | |
| source-diff | obfuscated-file:dist/test/unit/algo.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate with test data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/assetTransferBuilder.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/transferBuilder.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transactionBuilder/transactionBuilderFactory.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/lib/transaction.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate. | ai | |
| source-diff | encoded-string-file:dist/test/unit/algo.js | AI (source-diff): Long base64 strings are Algorand transaction fixtures in test files; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transactionBuilderFactory.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/algo.js | AI (source-diff): Standard TypeScript compiled output; long lines from TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/algoToken.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/assetTransferBuilder.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/keyPair.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/keyRegistrationBuilder.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/seedEncoding.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/seedValidator.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transaction.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transactionBuilder.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transferBuilder.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/txnSchema.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | obfuscated-file:dist/src/lib/utils.js | AI (source-diff): Standard TypeScript compiled output. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New dist/ files are TS build artifacts for a new package version; expected for BitGo SDK modules. | ai | |
| source-diff | source-size-tripled | AI (source-diff): First version with compiled dist/ output included; size increase reflects TS build artifacts, not injected payloads. | ai | |
| source-diff | obfuscated-file:dist/test/unit/verifyTransaction.js | AI (source-diff): Compiled TypeScript test output; long lines are TS boilerplate, not obfuscation. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@hashgraph/cryptography | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:@stablelib/hex | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Same-org dep; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Same-org dep; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:stellar-sdk | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:tweetnacl | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:js-sha512 | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:hi-base32 | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:algosdk | AI (phantom-deps): Core Algorand SDK dep; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:joi | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Legitimate runtime dep in a TS package; phantom-dep heuristic fires on compiled output. | ai | |
| provenance | no-provenance | AI (provenance): BitGo monorepo packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Sibling package in the BitGo monorepo; same publisher and trust chain as this package. | ai |
Versions (showing 51 of 76)
| Version | Deps | Published |
|---|---|---|
| 2.12.0 | 12 / 4 | |
| 2.11.3 | 12 / 4 | |
| 2.11.2 | 12 / 4 | |
| 2.11.1 | 12 / 4 | |
| 2.11.0 | 12 / 4 | |
| 2.10.9 | 12 / 4 | |
| 2.10.8 | 12 / 4 | |
| 2.10.7 | 12 / 4 | |
| 2.10.6 | 12 / 4 | |
| 2.10.5 | 12 / 4 | |
| 2.10.4 | 12 / 4 | |
| 2.10.3 | 12 / 4 | |
| 2.10.2 | 12 / 4 | |
| 2.10.1 | 12 / 4 | |
| 2.10.0 | 12 / 4 | |
| 2.9.9 | 12 / 4 | |
| 2.9.8 | 12 / 4 | |
| 2.9.7 | 12 / 4 | |
| 2.9.6 | 12 / 4 | |
| 2.9.5 | 12 / 4 | |
| 2.9.4 | 12 / 4 | |
| 2.9.3 | 12 / 4 | |
| 2.9.2 | 12 / 4 | |
| 2.9.1 | 12 / 4 | |
| 2.9.0 | 12 / 4 | |
| 2.8.12 | 12 / 4 | |
| 2.8.10 | 12 / 4 | |
| 2.8.9 | 12 / 4 | |
| 2.8.8 | 12 / 4 | |
| 2.8.7 | 12 / 4 | |
| 2.8.6 | 12 / 4 | |
| 2.8.5 | 12 / 4 | |
| 2.8.4 | 12 / 4 | |
| 2.8.3 | 12 / 4 | |
| 2.8.2 | 12 / 4 | |
| 2.8.1 | 12 / 4 | |
| 2.8.0 | 12 / 4 | |
| 2.7.0 | 12 / 4 | |
| 2.6.2 | 12 / 4 | |
| 2.6.1 | 12 / 4 | |
| 2.6.0 | 12 / 4 | |
| 2.5.7 | 12 / 4 | |
| 2.5.6 | 12 / 4 | |
| 2.5.5 | 12 / 4 | |
| 2.5.4 | 12 / 4 | |
| 2.5.3 | 12 / 4 | |
| 2.5.2 | 12 / 4 | |
| 2.5.1 | 12 / 4 | |
| 2.5.0 | 12 / 4 | |
| 2.4.4 | 12 / 4 | |
| 2.4.3 | 12 / 4 |
v2.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.11.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.11.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.11.1
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.11.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.7
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.0
3 findingsModified file contains 15 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 15 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.3
15 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (pranavjain) than the most recent previously approved version (zahin-mohammad) on 2025-09-03, but pranavjain is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.