@bitgo/sdk-coin-islm
BitGo SDK coin library for Islm
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by newly included compiled test directory under dist/test/. | ai | |
| source-diff | obfuscated-file:dist/test/unit/utils.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transferBuilder.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transactionBuilder.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transaction.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/StakingWithdrawRewardsBuilder.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/StakingDeactivateBuilder.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/StakingActivateBuilder.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/keyPair.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/islm.js | AI (source-diff): Compiled TypeScript unit test; long lines are standard TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/resources/islm.js | AI (source-diff): Compiled TypeScript test fixture with hardcoded test vectors; long lines from base64 tx data, not obfuscation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Bulk removal of individual BitGo maintainers consistent with org-wide bot-publisher migration. | ai | |
| provenance | publisher-changed | AI (provenance): BitGo org-wide migration to bitgobot publisher; stable pattern across hundreds of approved packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Addition of bitgobot reflects org-level automation transition, not a takeover. | ai | |
| phantom-deps | phantom-dep:@bitgo/abstract-cosmos | AI (phantom-deps): Declared dependency; same org scope. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/encoding | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Declared dependency; same org scope. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Declared dependency; same org scope. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/amino | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:cosmjs-types | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:keccak | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:ethers | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/proto-signing | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/stargate | AI (phantom-deps): Declared dependency; referenced in config files. Stable pattern for this package. | ai | |
| provenance | no-provenance | AI (provenance): BitGo monorepo packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Internal BitGo monorepo dependency; expected and stable for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/abstract-cosmos | AI (dependencies): Internal BitGo monorepo dependency; expected and stable for this package family. | ai |
Versions (showing 51 of 76)
| Version | Deps | Published |
|---|---|---|
| 2.6.14 | 12 / 3 | |
| 2.6.13 | 12 / 3 | |
| 2.6.12 | 12 / 3 | |
| 2.6.11 | 12 / 3 | |
| 2.6.10 | 12 / 3 | |
| 2.6.9 | 12 / 3 | |
| 2.6.8 | 12 / 3 | |
| 2.6.7 | 12 / 3 | |
| 2.6.6 | 12 / 3 | |
| 2.6.5 | 12 / 3 | |
| 2.6.4 | 12 / 3 | |
| 2.6.3 | 12 / 3 | |
| 2.6.2 | 12 / 3 | |
| 2.6.1 | 12 / 3 | |
| 2.6.0 | 12 / 3 | |
| 2.5.9 | 12 / 3 | |
| 2.5.8 | 12 / 3 | |
| 2.5.7 | 12 / 3 | |
| 2.5.6 | 12 / 3 | |
| 2.5.5 | 12 / 3 | |
| 2.5.4 | 12 / 3 | |
| 2.5.3 | 12 / 3 | |
| 2.5.2 | 12 / 3 | |
| 2.5.1 | 12 / 3 | |
| 2.5.0 | 12 / 3 | |
| 2.4.24 | 12 / 3 | |
| 2.4.22 | 12 / 3 | |
| 2.4.21 | 12 / 3 | |
| 2.4.20 | 12 / 3 | |
| 2.4.19 | 12 / 3 | |
| 2.4.18 | 12 / 3 | |
| 2.4.17 | 12 / 3 | |
| 2.4.16 | 12 / 3 | |
| 2.4.15 | 12 / 3 | |
| 2.4.14 | 12 / 3 | |
| 2.4.13 | 12 / 3 | |
| 2.4.12 | 12 / 3 | |
| 2.4.11 | 12 / 3 | |
| 2.4.10 | 12 / 3 | |
| 2.4.9 | 12 / 3 | |
| 2.4.8 | 12 / 3 | |
| 2.4.7 | 12 / 3 | |
| 2.4.6 | 12 / 3 | |
| 2.4.5 | 12 / 3 | |
| 2.4.4 | 12 / 3 | |
| 2.4.3 | 12 / 3 | |
| 2.4.2 | 12 / 3 | |
| 2.4.1 | 12 / 3 | |
| 2.4.0 | 12 / 3 | |
| 2.3.4 | 12 / 3 | |
| 2.3.3 | 12 / 3 |
v2.6.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.4
12 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.3
12 findingsThis version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.2
2 findingsThis version was published by a different npm account than previous versions on 2025-10-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
2 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zahin-mohammad) than the most recent previously approved version (pranavjain) on 2025-08-30, but zahin-mohammad is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.