@bitgo/sdk-coin-xlm
BitGo SDK coin library for Xlm
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Mass removal of individual BitGo maintainers consistent with org-wide bot-publisher migration. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bitgobot addition is part of BitGo org-wide automation rollout, not a takeover. | ai | |
| provenance | publisher-changed | AI (provenance): BitGo org-wide migration to bitgobot publisher; consistent across many approved packages. | ai | |
| phantom-deps | phantom-dep:stellar-sdk | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic fires on indirect usage patterns. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic fires on indirect usage patterns. | ai | |
| phantom-deps | phantom-dep:@bitgo/sdk-core | AI (phantom-deps): Same-org declared dep; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@bitgo/statics | AI (phantom-deps): Same-org declared dep; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Declared runtime dep in BitGo monorepo; phantom-dep heuristic fires on indirect usage patterns. | ai | |
| phantom-deps | phantom-dep:superagent | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic fires on indirect usage patterns. | ai | |
| provenance | no-provenance | AI (provenance): BitGo SDK packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-core | AI (dependencies): First-party BitGo monorepo package; stable false positive for this package family. | ai |
Versions (showing 51 of 66)
| Version | Deps | Published |
|---|---|---|
| 3.10.3 | 6 / 2 | |
| 3.10.2 | 6 / 2 | |
| 3.10.1 | 6 / 2 | |
| 3.10.0 | 6 / 2 | |
| 3.9.9 | 6 / 2 | |
| 3.9.8 | 6 / 2 | |
| 3.9.7 | 6 / 2 | |
| 3.9.6 | 6 / 2 | |
| 3.9.5 | 6 / 2 | |
| 3.9.4 | 6 / 2 | |
| 3.9.3 | 6 / 2 | |
| 3.9.2 | 6 / 2 | |
| 3.9.1 | 6 / 2 | |
| 3.9.0 | 6 / 2 | |
| 3.8.9 | 6 / 2 | |
| 3.8.8 | 6 / 2 | |
| 3.8.7 | 6 / 2 | |
| 3.8.6 | 6 / 2 | |
| 3.8.5 | 6 / 2 | |
| 3.8.4 | 6 / 2 | |
| 3.8.3 | 6 / 2 | |
| 3.8.2 | 6 / 2 | |
| 3.8.1 | 6 / 2 | |
| 3.8.0 | 6 / 2 | |
| 3.7.22 | 6 / 2 | |
| 3.7.20 | 6 / 2 | |
| 3.7.19 | 6 / 2 | |
| 3.7.18 | 6 / 2 | |
| 3.7.17 | 6 / 2 | |
| 3.7.16 | 6 / 2 | |
| 3.7.15 | 6 / 2 | |
| 3.7.14 | 6 / 2 | |
| 3.7.13 | 6 / 2 | |
| 3.7.12 | 6 / 2 | |
| 3.7.11 | 6 / 2 | |
| 3.7.10 | 6 / 2 | |
| 3.7.0 | 6 / 2 | |
| 3.6.1 | 6 / 2 | |
| 3.6.0 | 6 / 2 | |
| 3.5.4 | 6 / 2 | |
| 3.5.3 | 6 / 2 | |
| 3.5.2 | 6 / 2 | |
| 3.5.1 | 6 / 2 | |
| 3.5.0 | 6 / 2 | |
| 3.4.15 | 6 / 2 | |
| 3.4.14 | 6 / 2 | |
| 3.4.13 | 6 / 2 | |
| 3.4.12 | 6 / 2 | |
| 3.4.11 | 6 / 2 | |
| 3.4.10 | 6 / 2 | |
| 3.4.9 | 6 / 2 |
v3.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.9
2 findingsThis version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.7
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.6.1
2 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zahin-mohammad) than the most recent previously approved version (pranavjain) on 2025-08-29, but zahin-mohammad is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (pranavjain) than the most recent previously approved version (zahin-mohammad) on 2025-08-27, but pranavjain is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.4.14
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zahin-mohammad) than the most recent previously approved version (mohammadalfaiyaz_bitgo) on 2025-08-19, but zahin-mohammad is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.4.13
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zahin-mohammad) than the most recent previously approved version (mohammadalfaiyaz_bitgo) on 2025-08-14, but zahin-mohammad is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.4.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.