@interchainjs/auth
Authentication for web3 accounts
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is proportional to adding two new cryptographic library integrations. No obfuscation or injection signals present. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): elliptic and libsodium-wrappers-sumo are established crypto libraries appropriate for this auth/crypto package's secp256k1 and ed25519 support. Not suspicious for this package's purpose. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New source files reflect expanded cryptographic algorithm implementations (elliptic/libsodium integrations). Consistent with the package's stated purpose and new dependency additions. | ai | |
| dependencies | unvetted-dep:@interchainjs/crypto | AI (dependencies): Sibling package from the same publisher/monorepo (hyperweb-io/interchainjs); coordinated versioned release, no risk. | ai | |
| dependencies | unvetted-dep:@interchainjs/utils | AI (dependencies): Sibling package from the same publisher/monorepo (hyperweb-io/interchainjs); coordinated versioned release, no risk. | ai | |
| dependencies | unvetted-dep:elliptic | AI (dependencies): elliptic is a canonical cryptography library; its use in an auth package is expected and appropriate. | ai | |
| dependencies | unvetted-dep:libsodium-wrappers-sumo | AI (dependencies): libsodium-wrappers-sumo is the standard JS binding for libsodium; expected in a cryptography/auth package. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition to established publisher (pyramation, 2693 approved packages); no compromise indicators. | ai | |
| phantom-deps | phantom-dep:@noble/curves | AI (phantom-deps): Declared in package.json and referenced in config; phantom-dep is expected for transitive crypto dependencies. | ai | |
| phantom-deps | phantom-dep:@scure/bip32 | AI (phantom-deps): Declared in package.json and referenced in config; phantom-dep is expected for transitive crypto dependencies. | ai | |
| provenance | no-provenance | AI (provenance): Interchainjs ecosystem packages consistently lack provenance attestation; this is a build pipeline gap, not a security concern for this publisher. | ai |
Versions (showing 52 of 52)
| Version | Deps | Published |
|---|---|---|
| 1.19.1 | 9 / 4 | |
| 1.16.1 | 8 / 3 | |
| 1.13.0 | 6 / 0 | |
| 1.12.2 | 6 / 0 | |
| 1.12.1 | 6 / 0 | |
| 1.12.0 | 6 / 0 | |
| 1.11.18 | 5 / 0 | |
| 1.11.15 | 6 / 0 | |
| 1.11.14 | 6 / 0 | |
| 1.11.13 | 6 / 0 | |
| 1.11.12 | 6 / 0 | |
| 1.11.11 | 6 / 0 | |
| 1.11.10 | 6 / 0 | |
| 1.11.9 | 6 / 0 | |
| 1.11.8 | 6 / 0 | |
| 1.11.7 | 6 / 0 | |
| 1.11.6 | 6 / 0 | |
| 1.11.5 | 6 / 0 | |
| 1.11.4 | 6 / 0 | |
| 1.11.3 | 6 / 0 | |
| 1.11.2 | 6 / 0 | |
| 1.11.1 | 6 / 0 | |
| 1.11.0 | 6 / 0 | |
| 1.10.1 | 6 / 0 | |
| 1.10.0 | 6 / 0 | |
| 1.9.16 | 6 / 0 | |
| 1.9.15 | 6 / 0 | |
| 1.9.14 | 6 / 0 | |
| 1.9.13 | 6 / 0 | |
| 1.9.12 | 6 / 0 | |
| 1.9.11 | 6 / 0 | |
| 1.9.6 | 6 / 0 | |
| 1.9.5 | 6 / 0 | |
| 1.9.4 | 6 / 0 | |
| 1.8.3 | 6 / 0 | |
| 1.8.2 | 6 / 0 | |
| 1.8.1 | 6 / 0 | |
| 1.8.0 | 6 / 0 | |
| 1.7.11 | 6 / 0 | |
| 1.7.10 | 6 / 0 | |
| 1.7.9 | 6 / 0 | |
| 1.7.8 | 5 / 0 | |
| 1.7.6 | 5 / 0 | |
| 1.7.5 | 5 / 0 | |
| 1.6.4 | 5 / 0 | |
| 1.6.3 | 5 / 0 | |
| 1.6.2 | 5 / 0 | |
| 1.6.1 | 5 / 0 | |
| 1.6.0 | 5 / 0 | |
| 0.0.8 | 4 / 0 | |
| 0.0.7 | 4 / 0 | |
| 0.0.6 | 4 / 0 |
v1.19.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-16. This could indicate a legitimate maintainer transition or an account compromise.
v1.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-28. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-28. This could indicate a legitimate maintainer transition or an account compromise.
v1.7.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.