@hashgraph/sdk
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:lib/address_book/AddressBooks.cjs | AI (source-diff): Hex-encoded protobuf NodeAddressBook data for mainnet/testnet/previewnet; expected for this SDK. | ai | |
| source-diff | obfuscated-file:lib/network/AddressBookQueryWeb.js | AI (source-diff): Browser-targeted minified bundle mapped in package.json browser field; standard build output for this SDK. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/previewnet.d.ts | AI (source-diff): Type declaration includes address book constant; expected for this SDK. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/mainnet.d.ts | AI (source-diff): Type declaration includes address book constant; expected for this SDK. | ai | |
| source-diff | encoded-string-file:dist/umd.min.js | AI (source-diff): Minified UMD bundle includes the same protobuf-encoded address book data; expected bundled artifact. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/testnet.d.ts | AI (source-diff): Type declaration includes address book constant; expected for this SDK. | ai | |
| source-diff | encoded-string-file:dist/umd.js | AI (source-diff): UMD bundle includes the same protobuf-encoded address book data; expected bundled artifact. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/testnet.cjs | AI (source-diff): Hex-encoded protobuf address book data for Hedera testnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/mainnet.cjs | AI (source-diff): Hex-encoded protobuf address book data for Hedera mainnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/previewnet.cjs | AI (source-diff): Hex-encoded protobuf address book data for Hedera previewnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/mainnet.js | AI (source-diff): Hex-encoded protobuf address book data for Hedera mainnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:src/client/addressbooks/mainnet.js | AI (source-diff): Hex-encoded protobuf address book data for Hedera mainnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/previewnet.js | AI (source-diff): Hex-encoded protobuf address book data for Hedera previewnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:src/client/addressbooks/previewnet.js | AI (source-diff): Hex-encoded protobuf address book data for Hedera previewnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:lib/client/addressbooks/testnet.js | AI (source-diff): Hex-encoded protobuf address book data for Hedera testnet nodes; stable pattern in this SDK. | ai | |
| source-diff | encoded-string-file:src/client/addressbooks/testnet.js | AI (source-diff): Hex-encoded protobuf address book data for Hedera testnet nodes; stable pattern in this SDK. | ai | |
| dependencies | unvetted-dep:@hashgraph/cryptography | AI (dependencies): First-party Hedera/Hiero cryptography package; expected dependency for this SDK. | ai | |
| dependencies | unvetted-dep:protobufjs | AI (dependencies): protobufjs is a well-known, widely-used protobuf library; its use in a blockchain SDK is expected and legitimate. | ai | |
| dependencies | unvetted-dep:@hashgraph/proto | AI (dependencies): First-party Hedera/Hiero protobuf definitions package; expected dependency for this SDK. | ai | |
| phantom-deps | phantom-dep:bn.js | AI (phantom-deps): bn.js is declared as a peerDependency and in resolutions; phantom detection is a false positive for this package's build structure. | ai | |
| phantom-deps | phantom-dep:@ethersproject/bignumber | AI (phantom-deps): @ethersproject/bignumber is declared as a direct dependency; phantom detection is a false positive for this package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Buffer.from(str, 'hex') is standard Node.js hex decoding, expected and necessary in a blockchain SDK for handling keys, addresses, and transaction data. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): pino-pretty is declared as a direct dependency; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): strip-ansi is declared as a direct dependency; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:ansi-styles | AI (phantom-deps): ansi-styles is declared as a direct dependency; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:ansi-regex | AI (phantom-deps): ansi-regex is declared as a direct dependency; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): debug is declared as a direct dependency; phantom detection is a false positive for this package's build/import structure. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 2.81.0 | 21 / 56 | |
| 2.80.0 | 21 / 54 | |
| 2.79.0 | 21 / 54 | |
| 2.78.0 | 21 / 54 | |
| 2.77.0 | 21 / 54 | |
| 2.76.0 | 21 / 54 | |
| 2.75.0 | 21 / 54 | |
| 2.74.0 | 21 / 54 | |
| 2.73.2 | 21 / 54 | |
| 2.73.1 | 21 / 54 | |
| 2.72.0 | 17 / 54 | |
| 2.71.1 | 17 / 54 | |
| 2.71.0 | 17 / 54 | |
| 2.70.0 | 17 / 54 | |
| 2.69.0 | 17 / 54 | |
| 2.68.0 | 17 / 53 | |
| 2.67.0 | 17 / 53 | |
| 2.66.0 | 17 / 53 | |
| 2.65.1 | 17 / 53 | |
| 2.65.0 | 17 / 53 | |
| 2.64.5 | 17 / 53 | |
| 2.64.3 | 17 / 53 |
v2.81.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.80.0
11 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.79.0
16 findingsThis version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.78.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.75.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.74.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.73.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.73.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.72.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.71.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.71.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.70.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.69.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.68.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.67.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.66.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.65.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.65.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.64.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.64.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.