@easylayer/bitcoin — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

easylayer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:rxjs	AI (phantom-deps): rxjs is a standard NestJS peer/implicit dep; not directly imported but legitimately used.	ai	2026/05/29
phantom-deps	phantom-dep:lodash	AI (phantom-deps): lodash commonly used via transitive or config-level references in NestJS projects.	ai	2026/05/29
phantom-deps	phantom-dep:@nestjs/swagger	AI (phantom-deps): NestJS swagger is a peer dep for decorator metadata; not always directly imported.	ai	2026/05/29
phantom-deps	phantom-dep:@noble/secp256k1	AI (phantom-deps): Crypto lib used indirectly via bitcoinjs-lib/bip32 ecosystem; phantom heuristic fires but dep is legitimate.	ai	2026/05/29
phantom-deps	phantom-dep:reflect-metadata	AI (phantom-deps): Known NestJS runtime implicit dep; always declared but rarely directly imported.	ai	2026/05/29

Versions (showing 7 of 7)

Version	Deps	Published
1.2.1	19 / 19	2026-04-26
1.2.0	19 / 19	2026-03-23
1.1.1	20 / 14	2026-03-17
1.0.4	20 / 14	2025-10-28
1.0.3	20 / 14	2025-10-18
1.0.2	20 / 14	2025-10-01
1.0.0	19 / 15	2025-10-01