@cheqd/sdk
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@cosmjs/proto-signing-cjs | AI (dependencies): CJS alias of @cosmjs/proto-signing; standard dual-build pattern for this package, reputable upstream. | ai | |
| dependencies | unvetted-dep:@cosmjs/tendermint-rpc-cjs | AI (dependencies): CJS alias of @cosmjs/tendermint-rpc; standard dual-build pattern for this package, reputable upstream. | ai | |
| phantom-deps | phantom-dep:@types/secp256k1 | AI (phantom-deps): Type-only package loaded by convention; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/secp256k1-cjs | AI (phantom-deps): CJS alias of @types/secp256k1; type-only, loaded by convention. | ai | |
| dependencies | unvetted-dep:secp256k1-cjs | AI (dependencies): npm alias for well-known 'secp256k1' package; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cheqd/ts-proto | AI (dependencies): First-party cheqd package; stable for this package. | ai | |
| dependencies | unvetted-dep:uint8arrays-cjs | AI (dependencies): npm alias for well-known 'uint8arrays' package; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cosmjs/math-cjs | AI (dependencies): npm alias for well-known '@cosmjs/math'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:cosmjs-types-cjs | AI (dependencies): npm alias for well-known 'cosmjs-types'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:did-resolver-cjs | AI (dependencies): npm alias for well-known 'did-resolver'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:multiformats-cjs | AI (dependencies): npm alias for well-known 'multiformats'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cosmjs/amino-cjs | AI (dependencies): npm alias for well-known '@cosmjs/amino'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:long-cjs | AI (dependencies): npm alias for well-known 'long' package; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cosmjs/crypto-cjs | AI (dependencies): npm alias for well-known '@cosmjs/crypto'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cheqd/ts-proto-cjs | AI (dependencies): npm alias for first-party '@cheqd/ts-proto'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cosmjs/encoding-cjs | AI (dependencies): npm alias for well-known '@cosmjs/encoding'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cosmjs/stargate-cjs | AI (dependencies): npm alias for well-known '@cosmjs/stargate'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@types/secp256k1-cjs | AI (dependencies): npm alias for '@types/secp256k1'; type-only package, CJS dual-format pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@stablelib/ed25519-cjs | AI (dependencies): npm alias for well-known '@stablelib/ed25519'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:exponential-backoff-cjs | AI (dependencies): npm alias for well-known 'exponential-backoff'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:@cosmjs/utils-cjs | AI (dependencies): npm alias for well-known '@cosmjs/utils'; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:uuid-cjs | AI (dependencies): npm alias for well-known 'uuid' package; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:did-jwt-cjs | AI (dependencies): npm alias for well-known 'did-jwt' package; CJS dual-format packaging pattern stable for this package. | ai | |
| dependencies | unvetted-dep:file-type-cjs | AI (dependencies): npm alias for well-known 'file-type' package; CJS dual-format packaging pattern stable for this package. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 5.5.0 | 41 / 20 | |
| 5.4.9 | 41 / 20 | |
| 5.4.4 | 41 / 20 | |
| 5.4.1 | 41 / 20 | |
| 5.4.0 | 41 / 20 | |
| 5.3.7 | 41 / 20 | |
| 5.3.1 | 41 / 20 | |
| 5.3.0 | 41 / 20 | |
| 5.2.2 | 41 / 20 |
v5.4.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.3.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.