@bitgo/sdk-coin-dot
BitGo SDK coin library for Polkadot
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@polkadot/keyring | AI (phantom-deps): Transitive dependency via @polkadot modules; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:@substrate/txwrapper-polkadot | AI (phantom-deps): Direct dependency for Polkadot transaction wrapping; used via re-exports. | ai | |
| phantom-deps | phantom-dep:@substrate/txwrapper-core | AI (phantom-deps): Direct dependency for Substrate integration; used via re-exports. | ai | |
| phantom-deps | phantom-dep:@polkadot/util-crypto | AI (phantom-deps): Transitive dependency via @polkadot modules; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:hi-base32 | AI (phantom-deps): Transitive dependency via @polkadot modules; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:tweetnacl | AI (phantom-deps): Transitive dependency via @polkadot/util-crypto; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:@polkadot/api | AI (phantom-deps): Direct dependency for Polkadot integration; used via re-exports. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Same-org dependency; used transitively through @bitgo/sdk-core. | ai | |
| phantom-deps | phantom-dep:@polkadot/util | AI (phantom-deps): Transitive dependency via @polkadot modules; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Same-org dependency; primary peer for this coin module. | ai | |
| phantom-deps | phantom-dep:@polkadot/types | AI (phantom-deps): Transitive dependency via @polkadot modules; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:@polkadot/api-augment | AI (phantom-deps): Transitive dependency via @polkadot/api; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-lib-mpc | AI (phantom-deps): Same-org dependency; used transitively through @bitgo/sdk-core. | ai | |
| phantom-deps | phantom-dep:joi | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:bs58 | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; declared and used indirectly. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; declared and used indirectly. | ai | |
| provenance | publisher-changed | AI (provenance): BitGo migrated to GitHub Actions CI publishing with SLSA provenance; expected pattern. | ai | |
| source-diff | obfuscated-file:dist/cjs/src/resources/mainnet.js | AI (source-diff): Long lines are Polkadot chain metadata JSON, not obfuscation; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/esm/resources/mainnet.js | AI (source-diff): Same as CJS counterpart — chain metadata, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cjs/src/resources/polkadotAssetHub.js | AI (source-diff): Polkadot AssetHub chain metadata; long lines expected. | ai | |
| source-diff | obfuscated-file:dist/esm/resources/polkadotAssetHub.js | AI (source-diff): Polkadot AssetHub chain metadata; long lines expected. | ai | |
| source-diff | obfuscated-file:dist/cjs/src/lib/addressInitializationBuilder.js | AI (source-diff): Standard TypeScript CJS compiled output; readable source visible in sample. | ai | |
| source-diff | obfuscated-file:dist/esm/lib/addressInitializationBuilder.js | AI (source-diff): Standard TypeScript ESM compiled output; readable source visible in sample. | ai | |
| source-diff | obfuscated-file:dist/cjs/src/lib/batchTransactionBuilder.js | AI (source-diff): Standard TypeScript CJS compiled output; readable source visible in sample. | ai | |
| source-diff | obfuscated-file:dist/esm/lib/batchTransactionBuilder.js | AI (source-diff): Standard TypeScript ESM compiled output; readable source visible in sample. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): BitGo internal maintainer rotation to CI bot accounts; SLSA provenance confirms legitimate CI publish. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): louib-bitgo and bitgobot are BitGo org accounts; consistent with CI automation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Previous maintainers were BitGo employees; removal is part of org-wide CI migration. | ai | |
| provenance | no-provenance | AI (provenance): BitGo monorepo packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Core BitGo SDK dependency; expected and stable for this package family. | ai | |
| dependencies | unvetted-dep:@substrate/txwrapper-polkadot | AI (dependencies): Official Substrate/Polkadot transaction wrapper; expected for this coin SDK. | ai | |
| dependencies | unvetted-dep:@substrate/txwrapper-core | AI (dependencies): Official Substrate transaction wrapper; expected for Polkadot coin support. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-lib-mpc | AI (dependencies): BitGo MPC library; standard dependency across BitGo SDK coin modules. | ai | |
| dependencies | unvetted-dep:@bitgo/wasm-dot | AI (dependencies): BitGo-owned WASM module for Polkadot; expected dependency for this coin SDK. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 4.16.4 | 18 / 3 | |
| 4.16.3 | 18 / 3 | |
| 4.16.2 | 18 / 3 | |
| 4.16.1 | 18 / 3 | |
| 4.16.0 | 18 / 3 | |
| 4.15.4 | 18 / 3 | |
| 4.15.3 | 18 / 3 | |
| 4.15.2 | 18 / 3 | |
| 4.15.1 | 18 / 3 | |
| 4.14.4 | 18 / 3 | |
| 4.14.3 | 18 / 3 | |
| 4.4.4 | 17 / 3 | |
| 4.4.3 | 17 / 3 | |
| 4.4.2 | 17 / 3 | |
| 4.4.1 | 17 / 3 | |
| 4.4.0 | 17 / 3 | |
| 4.3.15 | 17 / 3 | |
| 4.3.14 | 17 / 3 | |
| 4.3.13 | 17 / 3 | |
| 4.3.12 | 17 / 3 | |
| 4.3.11 | 17 / 3 | |
| 4.3.10 | 17 / 3 | |
| 4.3.9 | 17 / 3 | |
| 4.3.8 | 17 / 3 | |
| 4.3.7 | 17 / 3 | |
| 4.3.6 | 17 / 3 | |
| 4.3.5 | 17 / 3 | |
| 4.3.4 | 17 / 3 | |
| 4.3.3 | 17 / 3 | |
| 4.3.2 | 17 / 3 | |
| 4.3.1 | 17 / 3 | |
| 4.3.0 | 17 / 3 | |
| 4.2.0 | 17 / 3 | |
| 4.1.60 | 17 / 3 | |
| 4.1.59 | 17 / 3 | |
| 4.1.58 | 17 / 3 | |
| 4.1.57 | 17 / 3 | |
| 4.1.56 | 17 / 3 |
v4.16.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.16.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.16.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.16.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.15.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.15.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.15.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.14.4
38 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-22. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.14.3
38 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.4.4
2 findingsThis version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.1
2 findingsThis version was published by a different npm account than previous versions on 2025-08-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.9
2 findingsThis version was published by a different npm account than previous versions on 2025-07-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.8
2 findingsThis version was published by a different npm account than previous versions on 2025-07-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.7
2 findingsThis version was published by a different npm account than previous versions on 2025-07-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.4
2 findingsThis version was published by a different npm account than previous versions on 2025-06-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.3
2 findingsThis version was published by a different npm account than previous versions on 2025-06-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.2
2 findingsThis version was published by a different npm account than previous versions on 2025-06-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
2 findingsThis version was published by a different npm account than previous versions on 2025-06-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.60
2 findingsThis version was published by a different npm account than previous versions on 2025-05-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.59
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.58
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.57
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.56
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.