@dfinity/identity-secp256k1

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

dayyildiznpm-dfinity-orgbitdivineielashikeplervitaldfn_wndlngdfn-it-ownerg.perez

Keywords

internet computericdfinitycanisterwebauthnidentityprincipaldfxcandidmotokojavascripttypescriptblockchaincryptodistributedapi

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from individual maintainer to DFINITY org account (dfn-it-owner); consistent with org consolidation, stable going forward.	ai	2026/05/09
dependencies	unvetted-dep:@dfinity/agent	AI (dependencies): @dfinity/agent is a sibling package from the same DFINITY monorepo, always released at matching versions. Not an independent risk for this package.	ai	2026/04/25
provenance	slsa-provenance	AI (provenance): SLSA provenance attestation confirms CI/CD-published release from the DFINITY organization; strong supply chain integrity signal.	ai	2026/04/25

Versions (showing 18 of 18)

Version	Deps	Published
3.4.3	4 / 0	2025-11-19
3.4.2	4 / 0	2025-11-10
3.4.1	4 / 0	2025-10-24
3.4.0	4 / 0	2025-10-22
3.3.1	4 / 0	2025-10-21
3.3.0	4 / 0	2025-10-13
3.2.7	4 / 0	2025-09-30
3.2.6	4 / 0	2025-09-18
3.2.5	4 / 0	2025-09-16
3.2.4	4 / 0	2025-09-02
3.2.3	4 / 0	2025-08-27
3.2.2	4 / 0	2025-08-21
3.2.1	4 / 0	2025-08-13
3.2.0	4 / 0	2025-08-07
3.1.0	4 / 0	2025-07-24
3.0.2	4 / 0	2025-07-23
3.0.1	4 / 0	2025-07-22
3.0.0	4 / 0	2025-07-17

v3.4.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.1

2 findings

HIGH Publisher changed: bitdivine → GitHub Actions (on 2025-10-24) provenance

This version was published by a different npm account than previous versions on 2025-10-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.4.0

2 findings

HIGH Publisher changed: bitdivine → dfn-it-owner (on 2025-10-22) provenance

This version was published by a different npm account than previous versions on 2025-10-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.1

2 findings

HIGH Publisher changed: bitdivine → dfn-it-owner (on 2025-10-21) provenance

This version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.0

2 findings

HIGH Publisher changed: bitdivine → dfn-it-owner (on 2025-10-13) provenance

This version was published by a different npm account than previous versions on 2025-10-13. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.7

2 findings

HIGH Publisher changed: bitdivine → dfn-it-owner (on 2025-09-30) provenance

This version was published by a different npm account than previous versions on 2025-09-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.6

2 findings

HIGH Publisher changed: bitdivine → dfn-it-owner (on 2025-09-18) provenance

This version was published by a different npm account than previous versions on 2025-09-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.5

2 findings

HIGH Publisher changed: bitdivine → dfn-it-owner (on 2025-09-16) provenance

This version was published by a different npm account than previous versions on 2025-09-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.4

2 findings

HIGH Publisher changed: bitdivine → dfn-it-owner (on 2025-09-02) provenance

This version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.