@chain-registry/workflows
Chain Registry Workflows
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:schema-typescript | AI (dependencies): schema-typescript is a companion tooling package in the same ecosystem; consistent with the package's TypeScript code generation workflow. | ai | |
| dependencies | unvetted-dep:json-schema-patch | AI (dependencies): json-schema-patch is a pinned utility dependency used in chain-registry workflows; no security concerns identified. | ai | |
| dependencies | unvetted-dep:file-ts | AI (dependencies): file-ts appears to be a companion package in the same ecosystem by the same publisher (pyramation); stable tooling dependency for chain-registry workflows. | ai | |
| dependencies | unvetted-dep:strfy-js | AI (dependencies): strfy-js is a utility package consistent with the chain-registry build toolchain by the same publisher; no malicious signals. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): bignumber.js is declared in package.json dependencies; phantom flag reflects config-driven usage pattern typical of this package. | ai | |
| phantom-deps | phantom-dep:sha.js | AI (phantom-deps): sha.js is declared in package.json dependencies; phantom flag is a static analysis artifact for this workflow/build-tooling package. | ai | |
| phantom-deps | phantom-dep:file-ts | AI (phantom-deps): file-ts is declared in package.json dependencies; phantom flag reflects config-driven usage pattern typical of this package. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): minimatch is declared in package.json dependencies; phantom flag is a static analysis artifact for this workflow/build-tooling package. | ai | |
| dependencies | unvetted-dep:@chain-registry/interfaces | AI (dependencies): First-party dependency from the same chain-registry monorepo; not a third-party risk. | ai | |
| provenance | no-provenance | AI (provenance): Established publisher with 4093 approved versions; lack of provenance is consistent across the entire chain-registry ecosystem and is not a meaningful risk signal here. | ai |
Versions (showing 100 of 233)
| Version | Deps | Published |
|---|---|---|
| 1.53.359 | 13 / 2 | |
| 1.53.358 | 13 / 2 | |
| 1.53.357 | 13 / 2 | |
| 1.53.356 | 13 / 2 | |
| 1.53.355 | 13 / 2 | |
| 1.53.354 | 13 / 2 | |
| 1.53.353 | 13 / 2 | |
| 1.53.352 | 13 / 2 | |
| 1.53.351 | 13 / 2 | |
| 1.53.350 | 13 / 2 | |
| 1.53.349 | 13 / 2 | |
| 1.53.348 | 13 / 2 | |
| 1.53.347 | 13 / 2 | |
| 1.53.346 | 13 / 2 | |
| 1.53.345 | 13 / 2 | |
| 1.53.344 | 13 / 2 | |
| 1.53.343 | 13 / 2 | |
| 1.53.342 | 13 / 2 | |
| 1.53.341 | 13 / 2 | |
| 1.53.340 | 13 / 2 | |
| 1.53.339 | 13 / 2 | |
| 1.53.338 | 13 / 2 | |
| 1.53.337 | 13 / 2 | |
| 1.53.336 | 13 / 2 | |
| 1.53.335 | 13 / 2 | |
| 1.53.334 | 13 / 2 | |
| 1.53.333 | 13 / 2 | |
| 1.53.332 | 13 / 2 | |
| 1.53.331 | 13 / 2 | |
| 1.53.330 | 13 / 2 | |
| 1.53.329 | 13 / 2 | |
| 1.53.328 | 13 / 2 | |
| 1.53.327 | 13 / 2 | |
| 1.53.326 | 13 / 2 | |
| 1.53.325 | 13 / 2 | |
| 1.53.324 | 13 / 2 | |
| 1.53.323 | 13 / 2 | |
| 1.53.322 | 13 / 2 | |
| 1.53.321 | 13 / 2 | |
| 1.53.320 | 13 / 2 | |
| 1.53.319 | 13 / 2 | |
| 1.53.318 | 13 / 2 | |
| 1.53.317 | 13 / 2 | |
| 1.53.316 | 13 / 2 | |
| 1.53.315 | 13 / 2 | |
| 1.53.313 | 13 / 2 | |
| 1.53.312 | 13 / 2 | |
| 1.53.311 | 13 / 2 | |
| 1.53.310 | 13 / 2 | |
| 1.53.309 | 13 / 2 | |
| 1.53.308 | 13 / 2 | |
| 1.53.307 | 13 / 2 | |
| 1.53.306 | 13 / 2 | |
| 1.53.305 | 13 / 2 | |
| 1.53.304 | 13 / 2 | |
| 1.53.303 | 13 / 2 | |
| 1.53.302 | 13 / 2 | |
| 1.53.301 | 13 / 2 | |
| 1.53.300 | 13 / 2 | |
| 1.53.299 | 13 / 2 | |
| 1.53.298 | 13 / 2 | |
| 1.53.297 | 13 / 2 | |
| 1.53.296 | 13 / 2 | |
| 1.53.295 | 13 / 2 | |
| 1.53.294 | 13 / 2 | |
| 1.53.293 | 13 / 2 | |
| 1.53.292 | 13 / 2 | |
| 1.53.291 | 13 / 2 | |
| 1.53.290 | 13 / 2 | |
| 1.53.289 | 13 / 2 | |
| 1.53.288 | 13 / 2 | |
| 1.53.287 | 13 / 2 | |
| 1.53.286 | 13 / 2 | |
| 1.53.285 | 13 / 2 | |
| 1.53.284 | 13 / 2 | |
| 1.53.283 | 13 / 2 | |
| 1.53.282 | 13 / 2 | |
| 1.53.281 | 13 / 2 | |
| 1.53.280 | 13 / 2 | |
| 1.53.279 | 13 / 2 | |
| 1.53.278 | 13 / 2 | |
| 1.53.277 | 13 / 2 | |
| 1.53.276 | 13 / 2 | |
| 1.53.275 | 13 / 2 | |
| 1.53.274 | 13 / 2 | |
| 1.53.273 | 13 / 2 | |
| 1.53.272 | 13 / 2 | |
| 1.53.271 | 13 / 2 | |
| 1.53.270 | 13 / 2 | |
| 1.53.269 | 13 / 2 | |
| 1.53.268 | 13 / 2 | |
| 1.53.267 | 13 / 2 | |
| 1.53.266 | 13 / 2 | |
| 1.53.264 | 13 / 2 | |
| 1.53.263 | 13 / 2 | |
| 1.53.262 | 13 / 2 | |
| 1.53.261 | 13 / 2 | |
| 1.53.260 | 13 / 2 | |
| 1.53.259 | 13 / 2 | |
| 1.53.258 | 13 / 2 |
v1.53.359
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.358
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.357
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.356
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.355
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.354
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.353
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.352
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.351
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.350
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.349
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.348
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.347
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.346
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.345
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.344
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.343
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.342
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.341
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.339
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.338
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.337
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.336
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.335
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.334
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.333
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.332
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.331
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.330
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.329
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.328
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.327
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.326
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.325
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.324
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.323
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.322
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.321
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.320
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.319
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.318
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.317
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.316
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.315
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.313
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.311
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.310
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.309
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.308
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.307
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.306
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.305
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.304
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.303
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.302
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.301
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.300
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.299
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.298
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.297
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.296
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.295
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.294
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.293
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.292
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.291
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.290
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.289
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.288
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.287
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.286
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.285
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.284
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.283
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.282
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.281
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.280
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.279
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.278
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.277
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.276
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.275
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.274
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.273
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.272
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.270
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.269
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.268
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.267
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.266
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.264
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.263
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.262
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.261
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.260
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.259
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.258
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.