@bitgo/sdk-core
core library functions for BitGoJS
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/src/bitgo/utils/tss/recipientUtils.js | AI (source-diff): Readable compiled source with clear business logic; long lines are bundler output. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/utils/tss/recipientUtils.js | AI (source-diff): TypeScript-compiled test file; long lines are bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/wallet/getResourceDelegations.js | AI (source-diff): Standard tsc-compiled test output; long lines are test data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/coins/ofc.js | AI (source-diff): Compiled TypeScript test file with standard CJS boilerplate; not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/utils/tss/baseTSSUtils.js | AI (source-diff): Compiled TypeScript test file; long lines are test data/fixtures, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/test/unit/account-lib/mpc/util.js | AI (source-diff): Compiled TypeScript test output; sample shows readable unit test code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/errors.js | AI (source-diff): Compiled TypeScript test file with inline hex strings; not obfuscated code. Pattern is stable for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/src/coins/fiatinr.js | AI (source-diff): Standard TypeScript-compiled CJS output; readable source, not obfuscated. Long-line heuristic false positive on compiled JS. | ai | |
| source-diff | obfuscated-file:dist/src/bitgo/walletUtil/utxoMessageProof.js | AI (source-diff): Standard tsc-compiled output with TypeScript boilerplate; long lines are normal for generated crypto/serialization code in this package. | ai | |
| provenance | publisher-changed | AI (provenance): pranavjain is an established BitGo publisher (230 approved, 0 rejected); routine team rotation for this org. | ai | |
| source-diff | obfuscated-file:dist/src/bitgo/walletUtil/midnightMessageProvider.js | AI (source-diff): Standard tsc-compiled CJS output; long lines from TypeScript boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/bitgo/evm/evmUtils.js | AI (source-diff): Standard tsc-compiled CJS output; long lines from TypeScript boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/bitgo/walletUtil/signAccountBasedMidnightClaimMessages.js | AI (source-diff): Standard tsc-compiled CJS output; long lines from TypeScript boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/wallet/walletEvmAddressCreation.js | AI (source-diff): Standard tsc-compiled CJS test output; long lines from TypeScript boilerplate, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/wallet/walletsEvmKeyring.js | AI (source-diff): Standard tsc-compiled CJS test output; long lines from TypeScript boilerplate, not obfuscation. | ai | |
| dependencies | unvetted-dep:@bitgo/sdk-lib-mpc | AI (dependencies): BitGo-maintained MPC library; stable dependency across many approved versions of this package. | ai | |
| dependencies | unvetted-dep:noble-bls12-381 | AI (dependencies): Well-known noble crypto library; pinned version, no advisory, stable across versions. | ai | |
| dependencies | unvetted-dep:@bitgo/sjcl | AI (dependencies): BitGo-maintained fork of sjcl; stable dependency across many approved versions of this package. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/wallet/resourceManagement.js | AI (source-diff): Standard tsc-compiled test file; long lines from test fixture data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/utils/tss/eddsa/eddsaMPCv2.js | AI (source-diff): Standard tsc-compiled test file; long lines from test fixture data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/wallet/walletOptionsCodecs.js | AI (source-diff): Standard tsc-compiled test file; long lines from test fixture data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/trading/tradingAccount.js | AI (source-diff): Standard tsc-compiled test file; long lines from test fixture data, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/bitgo/tss/eddsa/eddsaMPCv2.js | AI (source-diff): TypeScript-compiled output with readable logic; long lines from data literals, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/test/unit/bitgo/wallet/ofcWalletSignTransaction.js | AI (source-diff): Standard tsc-compiled test file; long lines from test fixture data, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@types/superagent | AI (phantom-deps): @types/superagent is a type declaration for superagent which is a direct runtime dep; stable false positive for this package. | ai |
Versions (showing 51 of 56)
| Version | Deps | Published |
|---|---|---|
| 37.3.0 | 30 / 5 | |
| 37.2.0 | 30 / 5 | |
| 37.1.0 | 30 / 5 | |
| 37.0.0 | 30 / 5 | |
| 36.44.0 | 30 / 5 | |
| 36.43.0 | 30 / 5 | |
| 36.42.0 | 30 / 5 | |
| 36.41.0 | 30 / 5 | |
| 36.40.0 | 30 / 5 | |
| 36.39.0 | 30 / 5 | |
| 36.38.0 | 30 / 5 | |
| 36.37.0 | 30 / 5 | |
| 36.36.0 | 30 / 5 | |
| 36.35.0 | 30 / 5 | |
| 36.34.0 | 30 / 5 | |
| 36.33.2 | 30 / 5 | |
| 36.33.1 | 30 / 5 | |
| 36.33.0 | 30 / 5 | |
| 36.32.0 | 30 / 5 | |
| 36.31.1 | 30 / 5 | |
| 36.31.0 | 30 / 5 | |
| 36.30.0 | 30 / 5 | |
| 36.29.0 | 30 / 5 | |
| 36.27.0 | 30 / 5 | |
| 36.26.0 | 31 / 5 | |
| 36.25.0 | 31 / 5 | |
| 36.24.0 | 31 / 5 | |
| 36.23.2 | 31 / 5 | |
| 36.23.1 | 31 / 5 | |
| 36.23.0 | 31 / 5 | |
| 36.22.0 | 31 / 5 | |
| 36.21.0 | 31 / 5 | |
| 36.20.1 | 31 / 5 | |
| 36.20.0 | 31 / 5 | |
| 36.19.0 | 31 / 5 | |
| 36.18.0 | 31 / 5 | |
| 36.17.0 | 31 / 5 | |
| 36.16.0 | 31 / 5 | |
| 36.15.0 | 31 / 5 | |
| 36.14.0 | 31 / 5 | |
| 36.13.0 | 31 / 5 | |
| 36.12.0 | 31 / 5 | |
| 36.11.0 | 31 / 5 | |
| 36.10.1 | 31 / 5 | |
| 36.10.0 | 31 / 5 | |
| 36.9.0 | 31 / 5 | |
| 36.8.0 | 31 / 5 | |
| 36.7.0 | 31 / 5 | |
| 36.6.1 | 31 / 5 | |
| 36.6.0 | 31 / 5 | |
| 36.5.0 | 31 / 5 |
v37.3.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v37.2.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v37.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v37.0.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.44.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.42.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.40.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.39.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.38.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.37.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.36.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v36.33.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.33.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.33.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.32.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.31.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.31.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.29.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.23.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.23.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.20.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.19.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.18.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.14.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.10.0
7 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.9.0
7 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v36.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.6.0
2 findingsThis version was published by a different npm account than previous versions on 2025-08-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v36.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.