@bitgo/sdk-coin-tao
BitGo SDK coin library for TAO (Bittensor) coin
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/tokenTransferBuilder.js | AI (source-diff): Compiled TypeScript test; long lines from fixture data. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): BitGo org-wide CI/CD migration to GitHub Actions with SLSA provenance; consistent with official BitGoJS repo. | ai | |
| source-diff | obfuscated-file:dist/test/resources/testnet.d.ts | AI (source-diff): TypeScript declaration file with long metadata string; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/unstakeBuilder.js | AI (source-diff): Compiled TypeScript test; long lines from fixture data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transferBuilder.js | AI (source-diff): Compiled TypeScript test; long lines from fixture data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/transactionBuilderFactory.js | AI (source-diff): Compiled TypeScript test; long lines from fixture data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/tao.js | AI (source-diff): Compiled TypeScript test file; standard TS boilerplate with long fixture lines. | ai | |
| source-diff | obfuscated-file:dist/test/resources/testnet.js | AI (source-diff): Large testnet metadata RPC blob causes long lines; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/base.js | AI (source-diff): TypeScript-compiled test code with long lines from fixture data; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/test/unit/fixtures.js | AI (source-diff): Long lines are encrypted key fixture strings for tests; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/test/resources/index.js | AI (source-diff): Test resource file with long metadata RPC strings; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/moveStakeBuilder.js | AI (source-diff): Compiled TypeScript test file; long lines from test fixture data. | ai | |
| source-diff | obfuscated-file:dist/test/unit/transactionBuilder/stakingBuilder.js | AI (source-diff): Compiled TypeScript test; long lines from fixture data, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/src/lib/moveStakeBuilder.js | AI (source-diff): TypeScript build output with long lines from source maps; code is readable BitGo SDK logic, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/src/lib/moveStakeTransaction.js | AI (source-diff): Same pattern — compiled TS dist file, not obfuscated; readable BitGo SDK transaction logic. | ai | |
| source-diff | obfuscated-file:dist/src/lib/tokenTransferBuilder.js | AI (source-diff): Standard TypeScript-compiled CommonJS output; long lines are generated code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/taoToken.js | AI (source-diff): Standard TypeScript-compiled CommonJS output; long lines are generated code, not obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): zahin-mohammad is an established BitGo publisher with 58 approved packages; transition appears legitimate. | ai | |
| provenance | no-provenance | AI (provenance): BitGo SDK packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@substrate/txwrapper-polkadot | AI (dependencies): Standard Substrate/Polkadot ecosystem library; expected for Substrate-based coin modules. | ai | |
| dependencies | unvetted-dep:@substrate/txwrapper-core | AI (dependencies): Standard Substrate ecosystem library for transaction wrapping. | ai | |
| dependencies | unvetted-dep:@bitgo/abstract-substrate | AI (dependencies): BitGo internal Substrate abstraction; expected for TAO/Bittensor coin module. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Core BitGo SDK dependency; expected for all @bitgo/sdk-coin-* packages. | ai |
Versions (showing 44 of 44)
| Version | Deps | Published |
|---|---|---|
| 1.16.2 | 7 / 2 | |
| 1.16.1 | 7 / 2 | |
| 1.16.0 | 7 / 2 | |
| 1.15.11 | 7 / 2 | |
| 1.15.10 | 7 / 2 | |
| 1.15.9 | 7 / 2 | |
| 1.15.8 | 7 / 2 | |
| 1.15.7 | 7 / 2 | |
| 1.15.6 | 7 / 2 | |
| 1.15.5 | 7 / 2 | |
| 1.15.4 | 7 / 2 | |
| 1.15.3 | 7 / 2 | |
| 1.15.2 | 7 / 2 | |
| 1.15.1 | 7 / 2 | |
| 1.12.2 | 7 / 2 | |
| 1.12.1 | 7 / 2 | |
| 1.12.0 | 7 / 2 | |
| 1.11.4 | 7 / 2 | |
| 1.11.3 | 7 / 2 | |
| 1.11.2 | 7 / 2 | |
| 1.11.1 | 7 / 2 | |
| 1.11.0 | 7 / 2 | |
| 1.10.2 | 7 / 2 | |
| 1.10.1 | 7 / 2 | |
| 1.10.0 | 7 / 2 | |
| 1.9.0 | 7 / 2 | |
| 1.8.11 | 7 / 2 | |
| 1.8.10 | 7 / 2 | |
| 1.8.9 | 7 / 2 | |
| 1.8.8 | 7 / 2 | |
| 1.8.7 | 7 / 2 | |
| 1.8.6 | 7 / 2 | |
| 1.8.5 | 7 / 2 | |
| 1.8.4 | 7 / 2 | |
| 1.8.3 | 7 / 2 | |
| 1.8.2 | 7 / 2 | |
| 1.8.1 | 7 / 2 | |
| 1.8.0 | 7 / 2 | |
| 1.7.3 | 7 / 2 | |
| 1.7.2 | 7 / 2 | |
| 1.7.1 | 7 / 2 | |
| 1.7.0 | 7 / 2 | |
| 1.6.9 | 7 / 2 | |
| 1.6.8 | 7 / 2 |
v1.16.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.16.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.1
17 findingsAll previous maintainers (pengyuc_bitgo, dhoffmann, bitgoaaron, mmcshinsky-bitgo, ericcrosson-bitgo, johntzanakakisbitgo, margueriteblair, pranavjain, islamaminbitgo, mkottaichamy, zahin-mohammad, mohammadalfaiyaz_bitgo) were replaced by new maintainers (louib-bitgo, bitgobot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.12.2
4 findingsThis version was published by a different npm account than previous versions on 2025-10-02. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
4 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
4 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.4
2 findingsThis version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.2
2 findingsThis version was published by a different npm account than previous versions on 2025-08-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.0
4 findingsThis version was published by a different npm account than previous versions on 2025-08-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.5
2 findingsThis version was published by a different npm account than previous versions on 2025-07-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
2 findingsThis version was published by a different npm account than previous versions on 2025-06-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
2 findingsThis version was published by a different npm account than previous versions on 2025-06-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
2 findingsThis version was published by a different npm account than previous versions on 2025-05-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.