@bitgo/sdk-coin-eos
BitGo SDK coin library for Eos
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): bitgobot is BitGo's CI automation account with 1094 approved packages; publisher change is expected org-wide automation. | ai | |
| source-diff | encoded-string-file:dist/src/eosutil/eosabiprovider.js | AI (source-diff): Base64-encoded EOS ABI data in a static lookup map; documented pattern for EOS SDK, not obfuscated payload. | ai | |
| source-diff | obfuscated-file:dist/test/unit/eos.js | AI (source-diff): Standard tsc-compiled test output; long lines from inline fixture data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/stringTextDecoder.js | AI (source-diff): Standard tsc-compiled test file; content is fully readable test cases. | ai | |
| source-diff | obfuscated-file:dist/test/fixtures.js | AI (source-diff): Compiled fixture file with large inline EOS account/transaction data objects; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/test/unit/eosToken.js | AI (source-diff): Standard tsc-compiled test output; readable BitGo SDK imports and test logic. | ai | |
| source-diff | obfuscated-file:dist/src/eosToken.js | AI (source-diff): Long lines are inline sourcemaps in compiled TypeScript output; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transactionBuilder.js | AI (source-diff): Long line is a base64 sourcemap; code itself is fully readable compiled TypeScript. | ai | |
| source-diff | obfuscated-file:dist/src/eos.js | AI (source-diff): Long lines are TypeScript compiled output with inline sourcemaps; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/eosutil/eosabiprovider.js | AI (source-diff): Long lines are base64-encoded EOS ABI data embedded as string literals; not obfuscation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): BitGo org account rotation; publisher has 331 approved packages with no rejections — not a takeover signal. | ai | |
| phantom-deps | phantom-dep:eosjs | AI (phantom-deps): TypeScript monorepo; deps declared for transitive use, phantom-dep heuristic is a stable FP here. | ai | |
| phantom-deps | phantom-dep:superagent | AI (phantom-deps): Same — stable FP for this compiled TS package. | ai | |
| phantom-deps | phantom-dep:eosjs-ecc | AI (phantom-deps): Same — stable FP for this compiled TS package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Same — stable FP for this compiled TS package. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Same — stable FP for this compiled TS package. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Same-org dep; stable FP for this BitGo monorepo package. | ai | |
| phantom-deps | phantom-dep:@bitgo/secp256k1 | AI (phantom-deps): Same-org dep; stable FP for this BitGo monorepo package. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Same-org dep; stable FP for this BitGo monorepo package. | ai | |
| provenance | no-provenance | AI (provenance): BitGo SDK monorepo packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:eosjs | AI (dependencies): Expected EOS blockchain dependency for this coin SDK; stable across versions. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Core BitGo SDK dependency; expected for all @bitgo/sdk-coin-* packages. | ai | |
| dependencies | unvetted-dep:eosjs-ecc | AI (dependencies): Expected EOS cryptography dependency for this coin SDK; stable across versions. | ai |
Versions (showing 51 of 76)
| Version | Deps | Published |
|---|---|---|
| 3.9.2 | 8 / 3 | |
| 3.9.1 | 8 / 3 | |
| 3.9.0 | 8 / 3 | |
| 3.8.11 | 8 / 3 | |
| 3.8.10 | 8 / 3 | |
| 3.8.9 | 8 / 3 | |
| 3.8.8 | 8 / 3 | |
| 3.8.7 | 8 / 3 | |
| 3.8.6 | 8 / 3 | |
| 3.8.5 | 8 / 3 | |
| 3.8.4 | 8 / 3 | |
| 3.8.3 | 8 / 3 | |
| 3.8.2 | 8 / 3 | |
| 3.8.1 | 8 / 3 | |
| 3.8.0 | 8 / 3 | |
| 3.7.6 | 8 / 3 | |
| 3.7.5 | 8 / 3 | |
| 3.7.4 | 8 / 3 | |
| 3.7.3 | 8 / 3 | |
| 3.7.2 | 8 / 3 | |
| 3.7.1 | 8 / 3 | |
| 3.7.0 | 8 / 3 | |
| 3.6.2 | 8 / 3 | |
| 3.6.1 | 8 / 3 | |
| 3.6.0 | 8 / 3 | |
| 3.5.24 | 8 / 3 | |
| 3.5.22 | 8 / 3 | |
| 3.5.21 | 8 / 3 | |
| 3.5.20 | 8 / 3 | |
| 3.5.19 | 8 / 3 | |
| 3.5.18 | 8 / 3 | |
| 3.5.17 | 8 / 3 | |
| 3.5.16 | 8 / 3 | |
| 3.5.15 | 8 / 3 | |
| 3.5.14 | 8 / 3 | |
| 3.5.13 | 8 / 3 | |
| 3.5.12 | 8 / 3 | |
| 3.5.11 | 8 / 3 | |
| 3.5.10 | 8 / 3 | |
| 3.5.9 | 8 / 3 | |
| 3.5.8 | 8 / 3 | |
| 3.5.7 | 8 / 3 | |
| 3.5.6 | 8 / 3 | |
| 3.5.5 | 8 / 3 | |
| 3.5.4 | 8 / 3 | |
| 3.5.3 | 8 / 3 | |
| 3.5.2 | 8 / 3 | |
| 3.5.1 | 8 / 3 | |
| 3.5.0 | 8 / 3 | |
| 3.4.4 | 8 / 3 | |
| 3.4.3 | 8 / 3 |
v3.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.0
2 findingsModified file contains 13 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.4
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.3
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.0
6 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.4
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (pranavjain) than the most recent previously approved version (zahin-mohammad) on 2025-09-03, but pranavjain is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.4.3
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.