@bitgo/sdk-coin-cosmos
BitGo SDK coin library for Cosmos
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/test/unit/cosmosSharedCoin.js | AI (source-diff): Compiled TypeScript test file; long lines are test data/sourcemaps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/utils.js | AI (source-diff): Compiled TypeScript test file; long lines are test data/sourcemaps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/testUtils/utils.js | AI (source-diff): Compiled TypeScript test utility; long lines are test data/sourcemaps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/testUtils/types.js | AI (source-diff): Compiled TypeScript types file; long line is an inline base64 sourcemap, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transferBuilder.js | AI (source-diff): Compiled TypeScript test file; long lines are test data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/testUtils/generators.js | AI (source-diff): Compiled TypeScript test utility; long lines are test data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transactionBuilder.js | AI (source-diff): Compiled TypeScript test file; long lines are test data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/register.js | AI (source-diff): Compiled TypeScript test file; long lines are test data/sourcemaps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/resources/mantra.js | AI (source-diff): Compiled TypeScript test resource file; long lines are base64 transaction data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/keyPair.js | AI (source-diff): Compiled TypeScript test file; long lines are test data/sourcemaps, not obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): BitGo migrated publishing to GitHub Actions CI with SLSA provenance; consistent with org-wide CI pipeline change. | ai | |
| source-diff | obfuscated-file:dist/test/resources/kava.js | AI (source-diff): Long lines are base64-encoded blockchain test transaction data, not obfuscation; pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/test/resources/kavacosmos.js | AI (source-diff): Long lines are base64-encoded Cosmos transaction test vectors, not obfuscated code. | ai | |
| phantom-deps | phantom-dep:@bitgo/abstract-cosmos | AI (phantom-deps): Direct dependency; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/stargate | AI (phantom-deps): Re-exported by @bitgo/abstract-cosmos; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Re-exported by @bitgo/abstract-cosmos; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Re-exported by @bitgo/sdk-core; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/amino | AI (phantom-deps): Re-exported by @bitgo/abstract-cosmos; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Re-exported by @bitgo/sdk-core; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/encoding | AI (phantom-deps): Referenced in config files per finding; stable false positive for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): BitGo SDK packages consistently have minimal READMEs and no keywords; not a spam signal. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-api | AI (phantom-deps): Same-org SDK dep; phantom-dep heuristic fires on indirect usage patterns common in BitGo monorepo. | ai |
Versions (showing 51 of 57)
| Version | Deps | Published |
|---|---|---|
| 1.9.14 | 8 / 1 | |
| 1.9.13 | 8 / 1 | |
| 1.9.12 | 8 / 1 | |
| 1.9.11 | 8 / 1 | |
| 1.9.10 | 8 / 1 | |
| 1.9.9 | 8 / 1 | |
| 1.9.8 | 8 / 1 | |
| 1.9.7 | 8 / 1 | |
| 1.9.6 | 8 / 1 | |
| 1.9.5 | 8 / 1 | |
| 1.9.4 | 8 / 1 | |
| 1.9.3 | 8 / 1 | |
| 1.9.2 | 8 / 1 | |
| 1.9.1 | 8 / 1 | |
| 1.9.0 | 8 / 1 | |
| 1.8.8 | 8 / 1 | |
| 1.8.7 | 8 / 1 | |
| 1.8.6 | 8 / 1 | |
| 1.8.5 | 8 / 1 | |
| 1.8.4 | 8 / 1 | |
| 1.8.3 | 8 / 1 | |
| 1.8.2 | 8 / 1 | |
| 1.8.1 | 8 / 1 | |
| 1.8.0 | 8 / 1 | |
| 1.7.0 | 8 / 1 | |
| 1.6.24 | 8 / 1 | |
| 1.6.22 | 8 / 1 | |
| 1.6.21 | 8 / 1 | |
| 1.6.20 | 8 / 1 | |
| 1.6.19 | 8 / 1 | |
| 1.6.18 | 8 / 1 | |
| 1.6.17 | 8 / 1 | |
| 1.6.16 | 8 / 1 | |
| 1.6.15 | 8 / 1 | |
| 1.6.14 | 8 / 1 | |
| 1.6.13 | 8 / 1 | |
| 1.6.12 | 8 / 1 | |
| 1.6.11 | 8 / 1 | |
| 1.6.10 | 8 / 1 | |
| 1.6.5 | 8 / 1 | |
| 1.6.4 | 8 / 1 | |
| 1.6.2 | 8 / 1 | |
| 1.6.1 | 8 / 1 | |
| 1.6.0 | 8 / 1 | |
| 1.5.4 | 8 / 1 | |
| 1.5.3 | 8 / 1 | |
| 1.5.2 | 8 / 1 | |
| 1.5.1 | 8 / 1 | |
| 1.5.0 | 8 / 1 | |
| 1.4.4 | 8 / 1 | |
| 1.4.3 | 8 / 1 |
v1.9.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.5
3 findingsThis version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.4
3 findingsThis version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.3
3 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.2
3 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.1
3 findingsThis version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.0
3 findingsThis version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.8
3 findingsThis version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.7
3 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.6
3 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.5
12 findingsThis version was published by a different npm account than previous versions on 2025-10-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
12 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
2 findingsThis version was published by a different npm account than previous versions on 2025-10-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
2 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
2 findingsThis version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
2 findingsThis version was published by a different npm account than previous versions on 2025-08-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.