@bitgo/sdk-coin-stx
BitGo SDK coin library for Stacks
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:ethereumjs-util | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; stable across versions. | ai | |
| phantom-deps | phantom-dep:@stacks/network | AI (phantom-deps): Transitive dependency via @stacks/transactions; stable across versions. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Same-org transitive dependency; stable across versions. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Same-org transitive dependency; stable across versions. | ai | |
| phantom-deps | phantom-dep:bn.js | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; stable across versions. | ai | |
| phantom-deps | phantom-dep:@noble/curves | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; stable across versions. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; stable across versions. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Transitive dependency via @bitgo/sdk-core; stable across versions. | ai | |
| phantom-deps | phantom-dep:@stacks/transactions | AI (phantom-deps): Transitive dependency; stable across versions. | ai | |
| phantom-deps | phantom-dep:@bitgo/secp256k1 | AI (phantom-deps): Same-org transitive dependency; stable across versions. | ai | |
| source-diff | obfuscated-file:dist/test/unit/util.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are compiled test outputs added to dist/test/; expected for BitGo SDK packages shipping test artifacts. | ai | |
| source-diff | obfuscated-file:dist/test/unit/sip10Token.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/contractBuilder.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/fixtures.js | AI (source-diff): Test fixtures file with long hex transaction strings; standard pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/fungibleTokenTransferBuilder.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/keyPair.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/resources.js | AI (source-diff): Test resources file with long hex/key strings; standard pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/sendmanyBuilder.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/stx.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transaction.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transferBuilder.js | AI (source-diff): TypeScript-compiled test file; long lines from hex fixtures and TS boilerplate. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bitgobot is the trusted BitGo org bot; maintainer churn is org-level housekeeping. | ai | |
| provenance | publisher-changed | AI (provenance): bitgobot is BitGo's automation account with 774 approved packages; publisher change reflects org-level consolidation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Mass removal of BitGo employee accounts in favor of org bot; consistent with org consolidation pattern. | ai | |
| source-diff | obfuscated-file:dist/src/lib/sbtcWithdrawBuilder.js | AI (source-diff): TypeScript-compiled sBTC withdrawal builder; readable logic visible in sample. | ai | |
| source-diff | obfuscated-file:dist/src/lib/btcAddressUtils.js | AI (source-diff): Standard TypeScript compiler output; long lines are TS helper closures, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/btcAddressUtils.js | AI (source-diff): Test file compiled from TypeScript; same TS boilerplate pattern, not malicious. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): bech32 and bs58check are well-known Bitcoin address encoding libs matching new sBTC feature. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/sbtcWithdrawBuilder.js | AI (source-diff): TypeScript-compiled test file; standard TS boilerplate, not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): BitGo SDK packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): First-party BitGo dependency; expected and stable across all versions of this coin SDK package. | ai |
Versions (showing 51 of 76)
| Version | Deps | Published |
|---|---|---|
| 3.14.2 | 12 / 2 | |
| 3.14.1 | 12 / 2 | |
| 3.14.0 | 12 / 2 | |
| 3.13.3 | 12 / 2 | |
| 3.13.2 | 12 / 2 | |
| 3.13.1 | 12 / 2 | |
| 3.13.0 | 12 / 2 | |
| 3.12.7 | 10 / 2 | |
| 3.12.6 | 10 / 2 | |
| 3.12.5 | 10 / 2 | |
| 3.12.4 | 10 / 2 | |
| 3.12.3 | 10 / 2 | |
| 3.12.2 | 10 / 2 | |
| 3.12.1 | 10 / 2 | |
| 3.12.0 | 10 / 2 | |
| 3.11.9 | 10 / 2 | |
| 3.11.8 | 10 / 2 | |
| 3.11.7 | 10 / 2 | |
| 3.11.6 | 10 / 2 | |
| 3.11.5 | 10 / 2 | |
| 3.11.4 | 10 / 2 | |
| 3.11.3 | 10 / 2 | |
| 3.11.2 | 10 / 2 | |
| 3.11.1 | 10 / 2 | |
| 3.11.0 | 10 / 2 | |
| 3.10.24 | 10 / 2 | |
| 3.10.22 | 10 / 2 | |
| 3.10.21 | 10 / 2 | |
| 3.10.20 | 10 / 2 | |
| 3.10.19 | 10 / 2 | |
| 3.10.18 | 10 / 2 | |
| 3.10.17 | 10 / 2 | |
| 3.10.16 | 10 / 2 | |
| 3.10.15 | 10 / 2 | |
| 3.10.14 | 10 / 2 | |
| 3.10.13 | 10 / 2 | |
| 3.10.12 | 10 / 2 | |
| 3.10.11 | 10 / 2 | |
| 3.10.10 | 10 / 2 | |
| 3.10.9 | 10 / 2 | |
| 3.10.8 | 10 / 2 | |
| 3.10.7 | 10 / 2 | |
| 3.10.6 | 10 / 2 | |
| 3.10.5 | 10 / 2 | |
| 3.10.4 | 10 / 2 | |
| 3.10.3 | 10 / 2 | |
| 3.10.2 | 10 / 2 | |
| 3.10.1 | 10 / 2 | |
| 3.10.0 | 10 / 2 | |
| 3.9.4 | 10 / 2 | |
| 3.9.3 | 10 / 2 |
v3.14.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.3
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.1
2 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.