← Home

@hiero-ledger/cryptography

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

lfdt-npmrbarkernathan-swirldslabsandrewb1269hg

Keywords

hierosdkhederahashgraphcryptography

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition from lfdt-npm to GitHub Actions with SLSA provenance attestation is a documented CI/CD security improvement for the hiero-ledger org, not a compromise indicator. ai
semgrep semgrep:hex-decode AI (semgrep): Hex decoding is a fundamental cryptographic primitive; the code is straightforward and expected in this library's context. ai
dependencies unvetted-dep:forge-light AI (dependencies): forge-light is a lightweight node-forge fork appropriate for React Native crypto support, consistent with this package's cross-platform design. ai
phantom-deps phantom-dep:bn.js AI (phantom-deps): Declared in package.json dependencies; used transitively or in platform-specific code paths in this SDK. ai
phantom-deps phantom-dep:debug AI (phantom-deps): Declared in package.json; used for debug logging in SDK utilities, not a malicious indicator. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decode is a core function of a cryptography utility library; Buffer.from(text, 'base64') is standard Node.js and not a malicious payload indicator. ai
phantom-deps phantom-dep:ansi-regex AI (phantom-deps): Declared in package.json; likely used in CLI/debug tooling within the SDK. ai
phantom-deps phantom-dep:strip-ansi AI (phantom-deps): Declared in package.json; used in output formatting utilities, not a security concern. ai
phantom-deps phantom-dep:ansi-styles AI (phantom-deps): Declared in package.json; used in output formatting utilities, not a security concern. ai
phantom-deps phantom-dep:js-base64 AI (phantom-deps): Declared in package.json; used in browser/native platform variants of the encoding module. ai

Versions (showing 8 of 8)

Version Deps Published
1.18.0 16 / 38
1.17.0 16 / 38
1.15.0 16 / 36
1.14.0 16 / 36
1.13.0 16 / 36
1.12.0 16 / 36
1.11.0 16 / 36
1.10.0 12 / 36

v1.18.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.15.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.13.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.12.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.11.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.10.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.