@bitgo/sdk-coin-flr
BitGo SDK coin library for Flr
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): BitGo consolidating to bitgobot publisher; consistent with 117 approved packages pattern, not a hostile takeover. | ai | |
| source-diff | obfuscated-file:dist/test/unit/flr.js | AI (source-diff): TypeScript compiled output with inline sourcemaps; standard build artifact for this BitGo SDK package. | ai | |
| source-diff | obfuscated-file:dist/src/flrToken.js | AI (source-diff): TypeScript compiled output with inline sourcemaps; standard build artifact for this BitGo SDK package. | ai | |
| source-diff | obfuscated-file:dist/test/unit/flrToken.js | AI (source-diff): TypeScript compiled output with inline sourcemaps; standard build artifact for this BitGo SDK package. | ai | |
| source-diff | obfuscated-file:dist/test/resources.js | AI (source-diff): TypeScript compiled output with inline sourcemaps; standard build artifact for this BitGo SDK package. | ai | |
| source-diff | obfuscated-file:dist/test/unit/utils.js | AI (source-diff): TypeScript compiled output with inline sourcemaps; standard build artifact for this BitGo SDK package. | ai | |
| source-diff | obfuscated-file:dist/src/iface.js | AI (source-diff): TypeScript compiled output with inline sourcemaps; standard build artifact for this BitGo SDK package. | ai | |
| phantom-deps | phantom-dep:@ethereumjs/tx | AI (phantom-deps): @ethereumjs/tx is a declared runtime dependency; phantom-dep false positive for this package. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 1.11.12 | 13 / 2 | |
| 1.11.11 | 13 / 2 | |
| 1.11.10 | 13 / 2 | |
| 1.11.9 | 13 / 2 | |
| 1.11.8 | 13 / 2 | |
| 1.11.7 | 13 / 2 | |
| 1.11.6 | 13 / 2 | |
| 1.11.5 | 13 / 2 | |
| 1.11.4 | 13 / 2 | |
| 1.11.3 | 13 / 2 | |
| 1.8.4 | 13 / 2 | |
| 1.6.4 | 5 / 2 | |
| 1.4.2 | 5 / 2 | |
| 1.4.1 | 5 / 2 | |
| 1.4.0 | 5 / 2 | |
| 1.3.9 | 5 / 2 | |
| 1.3.8 | 5 / 2 | |
| 1.3.4 | 5 / 2 | |
| 1.3.3 | 5 / 2 | |
| 1.3.2 | 5 / 2 | |
| 1.3.1 | 5 / 2 | |
| 1.2.5 | 5 / 2 | |
| 1.2.4 | 5 / 2 | |
| 1.2.3 | 5 / 2 | |
| 1.2.2 | 5 / 2 |
v1.11.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.3
9 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, joshdk, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.4
9 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, joshdk, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
7 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.