@coinbase/cdp-sdk — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

coinbase-ownercoinbase-npm

Keywords

coinbasecoinbase developer platformcoinbase sdkcdp sdksdkapi

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Coinbase migrated publishing to GitHub Actions CI/CD with SLSA provenance attestation — a deliberate security improvement, not a compromise. Stable for this package going forward.	ai	2026/04/27
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding in this SDK is standard cryptographic key handling (DER-to-PEM conversion for jose library). Expected and benign for a wallet/auth SDK.	ai	2026/04/26
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding is standard private key parsing for a blockchain SDK. Input is validated before decoding. No malicious payload hiding.	ai	2026/04/26

Versions (showing 66 of 66)

Version	Deps	Published
1.49.2	12 / 0	2026-05-13
1.49.1	12 / 0	2026-05-13
1.49.0	12 / 0	2026-05-11
1.48.3	12 / 0	2026-05-08
1.48.2	11 / 0	2026-04-23
1.48.1	11 / 0	2026-04-22
1.48.0	11 / 0	2026-04-17
1.47.0	11 / 0	2026-04-10
1.46.1	11 / 0	2026-03-31
1.46.0	11 / 0	2026-03-31
1.45.0	12 / 0	2026-03-06
1.44.1	12 / 0	2026-02-13
1.44.0	12 / 0	2026-01-29
1.43.1	12 / 0	2026-01-20
1.43.0	12 / 0	2026-01-09
1.42.0	12 / 0	2026-01-09
1.41.0	12 / 0	2026-01-08
1.40.2	12 / 0	2026-01-07
1.40.1	12 / 0	2025-12-10
1.40.0	12 / 0	2025-12-09
1.39.0	12 / 0	2025-12-04
1.38.6	12 / 0	2025-11-14
1.38.5	12 / 0	2025-11-03
1.38.4	12 / 0	2025-10-10
1.38.3	10 / 0	2025-09-26
1.38.2	10 / 0	2025-09-23
1.38.1	10 / 0	2025-09-18
1.38.0	10 / 0	2025-09-10
1.37.0	10 / 0	2025-09-09
1.36.1	10 / 0	2025-09-03
1.36.0	10 / 0	2025-08-19
1.35.0	10 / 0	2025-08-13
1.34.1	10 / 0	2025-08-12
1.34.0	10 / 0	2025-08-07
1.33.0	10 / 0	2025-08-05
1.32.0	10 / 0	2025-08-04
1.31.1	10 / 0	2025-08-01
1.31.0	10 / 0	2025-08-01
1.30.0	9 / 0	2025-07-25
1.29.0	9 / 0	2025-07-23
1.28.0	9 / 0	2025-07-22
1.27.0	9 / 0	2025-07-18
1.26.0	9 / 0	2025-07-16
1.25.0	9 / 0	2025-07-10
1.24.0	9 / 0	2025-07-09
1.23.0	9 / 0	2025-07-08
1.22.0	9 / 0	2025-07-01
1.21.0	8 / 0	2025-06-27
1.20.0	8 / 0	2025-06-26
1.19.0	8 / 0	2025-06-26
1.18.0	8 / 0	2025-06-21
1.17.0	8 / 0	2025-06-20
1.16.0	8 / 0	2025-06-17
1.15.0	8 / 0	2025-06-13
1.14.0	8 / 0	2025-06-11
1.13.0	8 / 0	2025-06-05
1.12.0	8 / 0	2025-06-04
1.11.0	8 / 0	2025-05-30
1.10.0	8 / 0	2025-05-16
1.9.0	8 / 0	2025-05-14
1.8.0	7 / 0	2025-05-09
1.7.0	6 / 0	2025-05-08
1.6.0	6 / 0	2025-05-02
1.5.0	6 / 0	2025-05-01
1.4.0	6 / 0	2025-04-29
1.3.2	6 / 0	2025-04-25

v1.49.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.49.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.49.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.48.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.48.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.48.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.48.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.47.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.46.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.46.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.45.0

2 findings

HIGH Publisher changed: coinbase-npm → GitHub Actions (on 2026-03-06) provenance

This version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.44.1

2 findings

HIGH Publisher changed: coinbase-npm → GitHub Actions (on 2026-02-13) provenance

This version was published by a different npm account than previous versions on 2026-02-13. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.