@hashgraph/cryptography
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:base64-decode | AI (semgrep): Cryptography library legitimately implements base64 encode/decode utilities. Buffer.from(text, 'base64') is standard Node.js; no obfuscation or malicious payload hiding. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Cryptography library legitimately implements hex encode/decode utilities. Buffer.from(str, 'hex') is standard Node.js; no obfuscation or malicious payload hiding. | ai | |
| phantom-deps | phantom-dep:bn.js | AI (phantom-deps): Multi-target build (CJS/ESM/browser/react-native) may not directly import all declared deps in the analyzed entry point; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): Multi-target build may not directly import all declared deps in the analyzed entry point; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:js-base64 | AI (phantom-deps): Multi-target build may not directly import all declared deps in the analyzed entry point; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ansi-regex | AI (phantom-deps): Multi-target build may not directly import all declared deps in the analyzed entry point; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): Multi-target build may not directly import all declared deps in the analyzed entry point; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ansi-styles | AI (phantom-deps): Multi-target build may not directly import all declared deps in the analyzed entry point; stable false positive for this package. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.17.0 | 16 / 38 | |
| 1.15.0 | 16 / 36 | |
| 1.14.0 | 16 / 36 | |
| 1.13.0 | 16 / 36 | |
| 1.12.0 | 16 / 36 | |
| 1.11.0 | 16 / 36 | |
| 1.10.0 | 12 / 36 | |
| 1.9.0 | 12 / 36 | |
| 1.8.0 | 12 / 36 | |
| 1.7.4 | 12 / 36 | |
| 1.7.3 | 12 / 36 | |
| 1.7.2 | 12 / 36 | |
| 1.7.1 | 12 / 36 | |
| 1.7.0 | 12 / 36 |
v1.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.