@bitgo/sdk-coin-sui
BitGo SDK coin library for Sui
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/test/unit/sui.js | AI (source-diff): Long hex strings in test fixtures are blockchain transaction data and addresses, not obfuscated payloads. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@mysten/bcs | AI (phantom-deps): Monorepo package; deps referenced in config files are a stable false positive pattern for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-lib-mpc | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:bs58 | AI (phantom-deps): Monorepo package; deps referenced in config files are a stable false positive pattern for this package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Monorepo package; deps referenced in config files are a stable false positive pattern for this package. | ai | |
| phantom-deps | phantom-dep:tweetnacl | AI (phantom-deps): Monorepo package; deps referenced in config files are a stable false positive pattern for this package. | ai | |
| phantom-deps | phantom-dep:superagent | AI (phantom-deps): Monorepo package; deps referenced in config files are a stable false positive pattern for this package. | ai | |
| phantom-deps | phantom-dep:superstruct | AI (phantom-deps): Monorepo package; deps referenced in config files are a stable false positive pattern for this package. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Monorepo package; deps referenced in config files are a stable false positive pattern for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/blake2b | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): BitGo SDK packages consistently publish without Sigstore provenance; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Internal BitGo monorepo dependency; expected and stable for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-lib-mpc | AI (dependencies): Internal BitGo monorepo dependency; expected and stable for this package family. | ai |
Versions (showing 51 of 64)
| Version | Deps | Published |
|---|---|---|
| 5.24.1 | 11 / 5 | |
| 5.24.0 | 11 / 5 | |
| 5.23.8 | 11 / 5 | |
| 5.23.7 | 11 / 5 | |
| 5.23.6 | 11 / 5 | |
| 5.23.5 | 11 / 5 | |
| 5.23.4 | 11 / 5 | |
| 5.23.3 | 11 / 5 | |
| 5.23.2 | 11 / 5 | |
| 5.23.1 | 11 / 5 | |
| 5.23.0 | 11 / 5 | |
| 5.22.0 | 11 / 5 | |
| 5.21.8 | 11 / 5 | |
| 5.21.7 | 11 / 5 | |
| 5.21.6 | 11 / 5 | |
| 5.21.5 | 11 / 5 | |
| 5.21.4 | 11 / 5 | |
| 5.21.3 | 11 / 5 | |
| 5.21.2 | 11 / 5 | |
| 5.21.1 | 11 / 5 | |
| 5.21.0 | 11 / 5 | |
| 5.20.0 | 11 / 5 | |
| 5.19.24 | 11 / 5 | |
| 5.19.22 | 11 / 5 | |
| 5.19.21 | 11 / 5 | |
| 5.19.20 | 11 / 5 | |
| 5.19.19 | 11 / 5 | |
| 5.19.18 | 11 / 5 | |
| 5.19.17 | 11 / 5 | |
| 5.19.16 | 11 / 5 | |
| 5.19.15 | 11 / 5 | |
| 5.19.14 | 11 / 5 | |
| 5.19.13 | 11 / 5 | |
| 5.19.12 | 11 / 5 | |
| 5.19.11 | 11 / 5 | |
| 5.19.10 | 11 / 5 | |
| 5.19.9 | 11 / 5 | |
| 5.19.8 | 11 / 5 | |
| 5.19.7 | 11 / 5 | |
| 5.19.6 | 11 / 5 | |
| 5.19.5 | 11 / 5 | |
| 5.19.4 | 11 / 5 | |
| 5.19.2 | 11 / 5 | |
| 5.18.3 | 11 / 5 | |
| 5.18.1 | 11 / 5 | |
| 5.17.1 | 11 / 5 | |
| 5.17.0 | 11 / 5 | |
| 5.16.0 | 11 / 5 | |
| 5.15.12 | 11 / 5 | |
| 5.15.11 | 11 / 5 | |
| 5.15.10 | 11 / 5 |
v5.24.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.4
2 findingsModified file contains 57 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.3
2 findingsModified file contains 57 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.2
2 findingsModified file contains 57 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.1
2 findingsModified file contains 57 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.0
2 findingsModified file contains 57 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.21.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.21.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.21.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.21.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.21.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.21.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.21.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.20.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.18.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.18.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.17.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.