@keplr-wallet/cosmos
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | no-description | AI (npm-metadata): Scoped package from established org; missing description is common for internal library components. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is rare (~12% adoption); not a signal for this established publisher. | ai | |
| dependencies | unvetted-dep:protobufjs | AI (dependencies): protobufjs is a well-known, widely-used protobuf library; its use is expected and appropriate for a Cosmos blockchain client package handling protobuf serialization. | ai | |
| phantom-deps | phantom-dep:@keplr-wallet/common | AI (phantom-deps): Same-org scoped dependency in a monorepo; phantom import detection is unreliable for monorepo packages where usage may be indirect or in build artifacts. | ai | |
| provenance | publisher-changed | AI (provenance): Keplr wallet migrated to GitHub Actions CI/CD publishing with SLSA provenance attestation; the publisher change reflects legitimate automation, not a compromise. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Missing metadata (description, repo, keywords) is typical for monorepo sub-packages; publisher chainapsis has 3057 approved packages and zero rejections. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in this package is used for ADR-36 amino message validation in the Cosmos wallet context — standard cryptographic handling, not a malicious payload indicator. | ai | |
| phantom-deps | phantom-dep:long | AI (phantom-deps): 'long' is a standard dependency used alongside protobufjs for 64-bit integer handling; its indirect usage pattern is expected in protobuf-based packages. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding appears in a test spec file as a hardcoded Cosmos transaction fixture. This is normal test data for a Cosmos library, not obfuscated malicious code. | ai |
Versions (showing 49 of 450)
| Version | Deps | Published |
|---|---|---|
| 0.11.3 | 11 / 0 | |
| 0.11.2 | 11 / 0 | |
| 0.11.1 | 11 / 0 | |
| 0.11.0 | 11 / 0 | |
| 0.10.24 | 11 / 0 | |
| 0.10.23 | 11 / 0 | |
| 0.10.22 | 11 / 0 | |
| 0.10.21 | 11 / 0 | |
| 0.10.20 | 11 / 0 | |
| 0.10.19 | 11 / 0 | |
| 0.10.18 | 10 / 0 | |
| 0.10.17 | 10 / 0 | |
| 0.10.16 | 10 / 0 | |
| 0.10.15 | 10 / 0 | |
| 0.10.14 | 10 / 0 | |
| 0.10.13 | 10 / 0 | |
| 0.10.12 | 10 / 0 | |
| 0.10.11 | 10 / 0 | |
| 0.10.10 | 10 / 0 | |
| 0.10.9 | 10 / 0 | |
| 0.10.8 | 10 / 0 | |
| 0.10.7 | 10 / 0 | |
| 0.10.6 | 10 / 0 | |
| 0.10.5 | 10 / 0 | |
| 0.10.4 | 10 / 0 | |
| 0.10.3 | 10 / 0 | |
| 0.10.2 | 10 / 0 | |
| 0.10.1 | 10 / 0 | |
| 0.10.0 | 9 / 0 | |
| 0.9.16 | 9 / 0 | |
| 0.9.12 | 9 / 0 | |
| 0.9.10 | 9 / 0 | |
| 0.9.9 | 8 / 0 | |
| 0.9.7 | 8 / 0 | |
| 0.9.6 | 8 / 0 | |
| 0.9.5 | 8 / 0 | |
| 0.9.4 | 8 / 0 | |
| 0.9.0 | 8 / 0 | |
| 0.8.15 | 9 / 1 | |
| 0.8.13 | 9 / 1 | |
| 0.8.12 | 9 / 1 | |
| 0.8.11 | 9 / 1 | |
| 0.8.8 | 9 / 1 | |
| 0.8.7 | 9 / 1 | |
| 0.8.6 | 9 / 1 | |
| 0.8.5 | 9 / 1 | |
| 0.8.4 | 9 / 1 | |
| 0.8.2 | 9 / 1 | |
| 0.8.0 | 9 / 1 |
v0.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.