@bitgo/sdk-coin-ton
BitGo SDK coin library for Ton
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/test/unit/transferBuilder.js | AI (source-diff): Long base64 strings are TON transaction test vectors; expected pattern for blockchain SDK test fixtures. | ai | |
| source-diff | obfuscated-file:dist/src/lib/tonWhalesVestingWithdrawBuilder.js | AI (source-diff): Standard tsc output with inline sourcemap; readable class logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/tonWhalesVestingWithdrawBuilder.js | AI (source-diff): Standard tsc-compiled test file with inline sourcemap; no malicious content. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Mass removal consistent with BitGo consolidating to CI bot publishing; not indicative of takeover. | ai | |
| source-diff | obfuscated-file:dist/src/lib/tokenTransferBuilder.js | AI (source-diff): Readable TypeScript-compiled output; long lines from builder pattern, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/lib/tokenTransaction.js | AI (source-diff): Readable TypeScript-compiled output; long lines from tonweb cell serialization, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/jettonToken.js | AI (source-diff): Readable TypeScript-compiled output; long lines from serialization logic, not obfuscation. Stable pattern for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bitgobot addition is consistent with BitGo monorepo CI bot consolidation pattern. | ai | |
| source-diff | encoded-string-file:dist/test/resources/ton.js | AI (source-diff): Long strings are TON transaction blobs and test fixture data, not obfuscated payloads. | ai | |
| source-diff | obfuscated-file:dist/src/lib/utils.js | AI (source-diff): Standard tsc-compiled output; readable class code, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transactionBuilderFactory.js | AI (source-diff): Standard tsc-compiled output; readable class code, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transactionBuilder.js | AI (source-diff): Standard tsc-compiled output; readable class code, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/lib/transaction.js | AI (source-diff): Standard tsc-compiled output; readable class code, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/lib/keyPair.js | AI (source-diff): Standard tsc-compiled output; readable class code, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/ton.js | AI (source-diff): Standard tsc-compiled output; readable class code, no obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): pranavjain is an established BitGo publisher (321 approved, 0 rejected); routine team rotation within the org. | ai | |
| source-diff | encoded-string-file:dist/test/unit/singleNominatorWithdrawBuilder.js | AI (source-diff): Long strings are serialized TON transaction test fixtures (te6cck... BOC format), not payloads. | ai | |
| source-diff | obfuscated-file:dist/src/lib/explainTransactionWasm.js | AI (source-diff): Standard tsc CommonJS output with readable logic; long lines are TypeScript boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/explainTransactionWasm.js | AI (source-diff): Standard tsc CommonJS output; long lines are TypeScript boilerplate helpers. | ai | |
| source-diff | obfuscated-file:dist/test/unit/wasmCrossCompatibility.js | AI (source-diff): Standard tsc CommonJS output; long lines are TypeScript boilerplate helpers. | ai | |
| source-diff | encoded-string-file:dist/src/lib/constants.js | AI (source-diff): Long string is TON vesting contract bytecode (base64 BOC), a legitimate domain constant. | ai | |
| source-diff | encoded-string-file:dist/src/lib/constants.d.ts | AI (source-diff): Same TON contract BOC constant in the TypeScript declaration file; benign. | ai | |
| source-diff | encoded-string-file:dist/test/unit/ton.js | AI (source-diff): Long strings are encrypted key fixtures and TON transaction BOC data used in unit tests. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Monorepo package; deps referenced in config files is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:bn.js | AI (phantom-deps): Monorepo package; deps referenced in config files is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-lib-mpc | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Monorepo package; deps referenced in config files is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tweetnacl | AI (phantom-deps): Monorepo package; deps referenced in config files is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tonweb | AI (phantom-deps): Monorepo package; deps referenced in config files is a stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): BitGo SDK packages consistently publish without Sigstore provenance; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-lib-mpc | AI (dependencies): Internal BitGo MPC library; expected for this package. | ai | |
| dependencies | unvetted-dep:tonweb | AI (dependencies): Standard TON blockchain JS library; expected dependency for TON coin support. | ai | |
| dependencies | unvetted-dep:@bitgo/wasm-ton | AI (dependencies): BitGo-owned WASM binding for TON; expected for this coin SDK. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): Core BitGo SDK dep; expected for all @bitgo/sdk-coin-* packages. | ai |
Versions (showing 51 of 76)
| Version | Deps | Published |
|---|---|---|
| 3.20.4 | 9 / 2 | |
| 3.20.3 | 9 / 2 | |
| 3.20.2 | 9 / 2 | |
| 3.20.1 | 9 / 2 | |
| 3.20.0 | 9 / 2 | |
| 3.19.8 | 9 / 2 | |
| 3.19.7 | 9 / 2 | |
| 3.19.6 | 9 / 2 | |
| 3.19.5 | 9 / 2 | |
| 3.19.4 | 9 / 2 | |
| 3.19.3 | 9 / 2 | |
| 3.19.2 | 9 / 2 | |
| 3.19.1 | 9 / 2 | |
| 3.19.0 | 9 / 2 | |
| 3.18.0 | 8 / 2 | |
| 3.17.1 | 8 / 2 | |
| 3.17.0 | 8 / 2 | |
| 3.16.4 | 8 / 2 | |
| 3.16.3 | 8 / 2 | |
| 3.16.2 | 8 / 2 | |
| 3.16.1 | 8 / 2 | |
| 3.16.0 | 8 / 2 | |
| 3.15.1 | 8 / 2 | |
| 3.15.0 | 8 / 2 | |
| 3.14.0 | 8 / 2 | |
| 3.13.3 | 8 / 2 | |
| 3.13.1 | 8 / 2 | |
| 3.13.0 | 8 / 2 | |
| 3.12.0 | 8 / 2 | |
| 3.11.5 | 8 / 2 | |
| 3.11.4 | 8 / 2 | |
| 3.11.3 | 8 / 2 | |
| 3.11.2 | 8 / 2 | |
| 3.11.1 | 8 / 2 | |
| 3.11.0 | 8 / 2 | |
| 3.10.5 | 8 / 2 | |
| 3.10.4 | 8 / 2 | |
| 3.10.3 | 8 / 2 | |
| 3.10.2 | 8 / 2 | |
| 3.10.1 | 8 / 2 | |
| 3.10.0 | 8 / 2 | |
| 3.9.7 | 8 / 2 | |
| 3.9.6 | 8 / 2 | |
| 3.9.5 | 8 / 2 | |
| 3.9.4 | 8 / 2 | |
| 3.9.3 | 8 / 2 | |
| 3.9.2 | 8 / 2 | |
| 3.9.1 | 8 / 2 | |
| 3.9.0 | 8 / 2 | |
| 3.8.4 | 8 / 2 | |
| 3.8.3 | 8 / 2 |
v3.20.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.4
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.3
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.2
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.1
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.19.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.17.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.16.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.16.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.16.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.16.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 13 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.13.3
2 findingsModified file contains 13 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.1
2 findingsModified file contains 13 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
2 findingsModified file contains 13 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.5
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.4
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.0
3 findingsModified file contains 10 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.9.1
5 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
5 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.4
2 findingsThis version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.