@ethersproject/hash — Greenflagged

Hash utility functions for Ethereum.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ricmoo

Keywords

Ethereumethers

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:lib.esm/ens-normalize/include.js	AI (source-diff): Base64-encoded ENS Unicode normalization tables from adraffy/ens-normalize.js; not obfuscation, just compressed data tables standard for ENS normalization.	ai	2026/04/23
source-diff	obfuscated-file:src.ts/ens-normalize/include.ts	AI (source-diff): TypeScript source of ENS normalization data tables; same rationale as compiled variants.	ai	2026/04/23
source-diff	obfuscated-file:lib/ens-normalize/include.js	AI (source-diff): CJS build variant of the same ENS normalization data tables; same rationale as ESM variant.	ai	2026/04/23
dependencies	unvetted-dep:@ethersproject/keccak256	AI (dependencies): First-party ethers.js sub-package published by the same author (ricmoo); stable dependency within the ethers.js monorepo.	ai	2026/04/23
dependencies	unvetted-dep:@ethersproject/properties	AI (dependencies): First-party ethers.js sub-package published by the same author (ricmoo); stable dependency within the ethers.js monorepo.	ai	2026/04/23
dependencies	unvetted-dep:@ethersproject/strings	AI (dependencies): First-party ethers.js sub-package published by the same author (ricmoo); stable dependency within the ethers.js monorepo.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance attestation; absence is expected for this era of publishing.	ai	2026/04/23
source-diff	source-size-tripled	AI (source-diff): Dramatic size increase is consistent with EIP-712 feature addition in this well-established ethers.js package; no malicious payload indicators.	ai	2026/04/23
source-diff	large-new-source-files	AI (source-diff): Size increase reflects legitimate feature expansion (EIP-712 typed data hashing) in the ethers.js monorepo; no injected or obfuscated code.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): New deps are all first-party @ethersproject/* sibling packages from the same author/monorepo; not a third-party supply chain risk.	ai	2026/04/23
typosquat	typosquat.levenshtein:hapi	AI (typosquat): @ethersproject/hash is a well-established ethers.js sub-package with no relation to 'hapi'; the Levenshtein match is a false positive that generalizes across all versions.	ai	2026/04/21

Versions (showing 22 of 22)

Version	Deps	Published
5.8.0	9 / 0	2025-02-26
5.7.0	9 / 0	2022-08-19
5.6.1	8 / 0	2022-05-24
5.6.0	8 / 0	2022-03-10
5.5.0	8 / 0	2021-10-20
5.4.0	8 / 0	2021-06-26
5.3.0	8 / 0	2021-06-01
5.2.0	8 / 0	2021-05-20
5.1.0	8 / 0	2021-03-30
5.0.12	8 / 0	2021-03-08
5.0.11	8 / 0	2021-02-01
5.0.10	8 / 0	2021-01-08
5.0.9	8 / 0	2020-12-08
5.0.8	8 / 0	2020-11-24
5.0.7	8 / 0	2020-11-18
5.0.6	8 / 0	2020-10-19
5.0.5	4 / 0	2020-10-03
5.0.4	4 / 0	2020-09-12
5.0.3	4 / 0	2020-08-26
5.0.2	4 / 0	2020-07-19
5.0.1	4 / 0	2020-06-13
5.0.0	4 / 0	2020-06-13

v5.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.7.0

4 findings

HIGH New obfuscated file: lib.esm/ens-normalize/include.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/ens-normalize/include.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: src.ts/ens-normalize/include.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.