@chain-registry/workflows
Chain Registry Workflows
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:schema-typescript | AI (dependencies): schema-typescript is a companion tooling package in the same ecosystem; consistent with the package's TypeScript code generation workflow. | ai | |
| dependencies | unvetted-dep:json-schema-patch | AI (dependencies): json-schema-patch is a pinned utility dependency used in chain-registry workflows; no security concerns identified. | ai | |
| dependencies | unvetted-dep:file-ts | AI (dependencies): file-ts appears to be a companion package in the same ecosystem by the same publisher (pyramation); stable tooling dependency for chain-registry workflows. | ai | |
| dependencies | unvetted-dep:strfy-js | AI (dependencies): strfy-js is a utility package consistent with the chain-registry build toolchain by the same publisher; no malicious signals. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): bignumber.js is declared in package.json dependencies; phantom flag reflects config-driven usage pattern typical of this package. | ai | |
| phantom-deps | phantom-dep:sha.js | AI (phantom-deps): sha.js is declared in package.json dependencies; phantom flag is a static analysis artifact for this workflow/build-tooling package. | ai | |
| phantom-deps | phantom-dep:file-ts | AI (phantom-deps): file-ts is declared in package.json dependencies; phantom flag reflects config-driven usage pattern typical of this package. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): minimatch is declared in package.json dependencies; phantom flag is a static analysis artifact for this workflow/build-tooling package. | ai | |
| dependencies | unvetted-dep:@chain-registry/interfaces | AI (dependencies): First-party dependency from the same chain-registry monorepo; not a third-party risk. | ai | |
| provenance | no-provenance | AI (provenance): Established publisher with 4093 approved versions; lack of provenance is consistent across the entire chain-registry ecosystem and is not a meaningful risk signal here. | ai |
Versions (showing 51 of 233)
| Version | Deps | Published |
|---|---|---|
| 1.53.359 | 13 / 2 | |
| 1.53.358 | 13 / 2 | |
| 1.53.357 | 13 / 2 | |
| 1.53.356 | 13 / 2 | |
| 1.53.355 | 13 / 2 | |
| 1.53.354 | 13 / 2 | |
| 1.53.353 | 13 / 2 | |
| 1.53.352 | 13 / 2 | |
| 1.53.351 | 13 / 2 | |
| 1.53.350 | 13 / 2 | |
| 1.53.349 | 13 / 2 | |
| 1.53.348 | 13 / 2 | |
| 1.53.347 | 13 / 2 | |
| 1.53.346 | 13 / 2 | |
| 1.53.345 | 13 / 2 | |
| 1.53.344 | 13 / 2 | |
| 1.53.343 | 13 / 2 | |
| 1.53.342 | 13 / 2 | |
| 1.53.341 | 13 / 2 | |
| 1.53.340 | 13 / 2 | |
| 1.53.339 | 13 / 2 | |
| 1.53.338 | 13 / 2 | |
| 1.53.337 | 13 / 2 | |
| 1.53.336 | 13 / 2 | |
| 1.53.335 | 13 / 2 | |
| 1.53.334 | 13 / 2 | |
| 1.53.333 | 13 / 2 | |
| 1.53.332 | 13 / 2 | |
| 1.53.331 | 13 / 2 | |
| 1.53.330 | 13 / 2 | |
| 1.53.329 | 13 / 2 | |
| 1.53.328 | 13 / 2 | |
| 1.53.327 | 13 / 2 | |
| 1.53.326 | 13 / 2 | |
| 1.53.325 | 13 / 2 | |
| 1.53.324 | 13 / 2 | |
| 1.53.323 | 13 / 2 | |
| 1.53.322 | 13 / 2 | |
| 1.53.321 | 13 / 2 | |
| 1.53.320 | 13 / 2 | |
| 1.53.319 | 13 / 2 | |
| 1.53.318 | 13 / 2 | |
| 1.53.317 | 13 / 2 | |
| 1.53.316 | 13 / 2 | |
| 1.53.315 | 13 / 2 | |
| 1.53.313 | 13 / 2 | |
| 1.53.312 | 13 / 2 | |
| 1.53.311 | 13 / 2 | |
| 1.53.310 | 13 / 2 | |
| 1.53.309 | 13 / 2 | |
| 1.53.308 | 13 / 2 |
v1.53.359
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.358
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.357
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.356
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.355
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.354
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.353
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.352
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.351
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.350
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.349
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.348
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.347
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.346
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.345
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.344
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.343
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.342
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.341
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.339
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.338
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.337
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.336
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.335
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.334
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.333
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.332
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.331
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.330
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.329
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.328
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.327
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.326
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.325
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.324
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.323
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.322
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.321
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.320
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.319
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.318
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.317
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.316
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.315
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.313
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.311
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.310
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.309
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.308
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.