@chain-registry/utils
Chain Registry Utils
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@keplr-wallet/crypto | AI (dependencies): @keplr-wallet/crypto is a well-known cryptographic library from the Keplr wallet team, a major Cosmos ecosystem project. Its use in chain-registry utils is expected and appropriate. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Part of a large, established monorepo (cosmology-tech/chain-registry) by a trusted publisher; sparse README and missing keywords are cosmetic, not indicative of spam. | ai | |
| dependencies | unvetted-dep:@chain-registry/types | AI (dependencies): @chain-registry/types is a sibling package in the same hyperweb-io/chain-registry monorepo, published by the same trusted author (pyramation). Unvetted status is transient and expected for co-released packages. | ai | |
| dependencies | unvetted-dep:chain-registry | AI (dependencies): chain-registry is a sibling package in the same hyperweb-io/chain-registry monorepo, published by the same trusted author (pyramation). Unvetted status is transient and expected for co-released packages. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): chain-registry is a sibling package in the same hyperweb-io/chain-registry monorepo, published by the same maintainer. Intra-monorepo dependency additions are expected and low-risk for this package. | ai | |
| phantom-deps | phantom-dep:chain-registry | AI (phantom-deps): chain-registry is a sibling monorepo package; indirect/config usage without direct import is a common pattern in this ecosystem. | ai | |
| license | uncommon-license:SEE LICENSE IN LICENSE | AI (license): Standard npm pattern referencing a LICENSE file; common in open-source projects and not a security concern. | ai | |
| provenance | no-provenance | AI (provenance): Package predates widespread provenance adoption; publisher has strong track record. Stable false positive for this package. | ai |
Versions (showing 100 of 841)
v1.51.377
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.376
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.375
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.374
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.373
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.372
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.371
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.370
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.369
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.368
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.367
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.366
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.365
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.364
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.363
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.362
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.361
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.360
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.359
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.358
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.357
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.356
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.355
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.354
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.353
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.352
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.351
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.350
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.349
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.348
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.347
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.