@bitgo/sdk-coin-avaxc
BitGo SDK coin library for Avalanche c-chain
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/test/resources/avaxc.d.ts | AI (source-diff): TypeScript declaration file for test resources; long lines from exported hex constants. | ai | |
| source-diff | obfuscated-file:dist/test/unit/avaxcToken.js | AI (source-diff): Compiled TypeScript test file; long lines are normal for bundled test output. | ai | |
| source-diff | obfuscated-file:dist/test/unit/helpers.js | AI (source-diff): Test helper with ABI definitions; long lines from JSON ABI data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/keyPair.js | AI (source-diff): Compiled TypeScript test file for key pair tests; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transfer.js | AI (source-diff): Compiled TypeScript test file; standard TS boilerplate causes long lines. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transferBuilder.js | AI (source-diff): Compiled TypeScript test file; standard TS boilerplate causes long lines. | ai | |
| source-diff | obfuscated-file:dist/test/unit/util.js | AI (source-diff): Compiled TypeScript test file for utility tests; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/walletInitializationBuilder.js | AI (source-diff): Compiled TypeScript test file; long lines from test data/boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/resources/avaxc.js | AI (source-diff): Long lines are hex-encoded Ethereum tx fixtures in test resources, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/test/unit/avaxc.js | AI (source-diff): Compiled TypeScript test file with standard TS boilerplate; long lines from test data. | ai | |
| provenance | publisher-changed | AI (provenance): BitGo migrated publishing to GitHub Actions CI/CD with SLSA attestation; stable pattern for this org going forward. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): louib-bitgo is a BitGo org member; addition consistent with normal team management for this established package. | ai | |
| provenance | no-provenance | AI (provenance): BitGo SDK packages consistently publish without Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/abstract-eth | AI (dependencies): Internal BitGo monorepo dependency; stable pattern across all @bitgo/sdk-coin-* packages. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-coin-avaxp | AI (dependencies): Internal BitGo monorepo dependency; stable pattern across all @bitgo/sdk-coin-* packages. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-coin-eth | AI (dependencies): Internal BitGo monorepo dependency; stable pattern across all @bitgo/sdk-coin-* packages. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Internal BitGo monorepo dependency; stable pattern across all @bitgo/sdk-coin-* packages. | ai |
Versions (showing 51 of 75)
| Version | Deps | Published |
|---|---|---|
| 6.8.4 | 14 / 4 | |
| 6.8.3 | 14 / 4 | |
| 6.8.2 | 14 / 4 | |
| 6.8.1 | 14 / 4 | |
| 6.8.0 | 14 / 4 | |
| 6.7.9 | 14 / 4 | |
| 6.7.8 | 14 / 4 | |
| 6.7.7 | 14 / 4 | |
| 6.7.6 | 14 / 4 | |
| 6.7.5 | 14 / 4 | |
| 6.7.4 | 14 / 4 | |
| 6.7.3 | 14 / 4 | |
| 6.7.2 | 14 / 4 | |
| 6.7.1 | 14 / 4 | |
| 6.7.0 | 14 / 4 | |
| 6.6.0 | 14 / 4 | |
| 6.5.8 | 14 / 4 | |
| 6.5.7 | 14 / 4 | |
| 6.5.6 | 14 / 4 | |
| 6.5.5 | 14 / 4 | |
| 6.5.4 | 14 / 4 | |
| 6.5.3 | 14 / 4 | |
| 6.5.2 | 14 / 4 | |
| 6.5.1 | 14 / 4 | |
| 6.5.0 | 14 / 4 | |
| 6.4.24 | 14 / 4 | |
| 6.4.22 | 14 / 4 | |
| 6.4.21 | 14 / 4 | |
| 6.4.20 | 14 / 4 | |
| 6.4.19 | 14 / 4 | |
| 6.4.18 | 14 / 4 | |
| 6.4.17 | 14 / 4 | |
| 6.4.16 | 14 / 4 | |
| 6.4.15 | 14 / 4 | |
| 6.4.14 | 14 / 4 | |
| 6.4.13 | 14 / 4 | |
| 6.4.12 | 14 / 4 | |
| 6.4.11 | 14 / 4 | |
| 6.4.10 | 14 / 4 | |
| 6.4.9 | 14 / 4 | |
| 6.4.8 | 14 / 4 | |
| 6.4.7 | 14 / 4 | |
| 6.4.6 | 14 / 4 | |
| 6.4.5 | 14 / 4 | |
| 6.4.4 | 14 / 4 | |
| 6.4.3 | 14 / 4 | |
| 6.4.2 | 14 / 4 | |
| 6.4.1 | 14 / 4 | |
| 6.4.0 | 14 / 4 | |
| 6.3.4 | 14 / 4 | |
| 6.3.3 | 14 / 4 |
v6.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.5.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.5.7
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.3
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.4
2 findingsThis version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.