@ledgerhq/coin-filecoin

Ledger Filecoin Coin integration

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

phenry-ledgersergii-shkolingbrahm-ledgerthomas.coudrayldg-github-civbouzonledger-releaser

Keywords

LedgerLedgerWalletfilFilecoinHardware Wallet

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Provenance attestation is not yet standard practice; absence is not a security concern for this established, ecosystem-trusted package.	ai	2026/04/27
dependencies	unvetted-dep:@zondax/cbor	AI (dependencies): Zondax is a known blockchain tooling company working with Ledger; @zondax/cbor is a domain-appropriate CBOR library for Filecoin integration.	ai	2026/04/26
dependencies	unvetted-dep:iso-filecoin	AI (dependencies): iso-filecoin is a standard Filecoin utility library; appropriate dependency for a Filecoin coin integration package.	ai	2026/04/26
phantom-deps	phantom-dep:@ledgerhq/devices	AI (phantom-deps): Same-org package declared as dependency in a large monorepo; phantom dep finding is a false positive for this package structure.	ai	2026/04/25
semgrep	semgrep:hex-decode	AI (semgrep): hex-decode fires on a legitimate getBufferFromString utility in a blockchain library; decoding hex/base64 transaction data is expected behavior for a Filecoin coin integration.	ai	2026/04/25
semgrep	semgrep:base64-decode	AI (semgrep): base64-decode fires on the same getBufferFromString utility; decoding base64 message data is standard for a blockchain/crypto library, not a malicious payload.	ai	2026/04/25

Versions (showing 9 of 9)

Version	Deps	Published
1.24.3	17 / 12	2026-05-21
1.24.1	17 / 12	2026-05-04
1.24.0	17 / 12	2026-04-22
1.23.0	17 / 12	2026-04-15
1.22.1	17 / 10	2026-04-01
1.22.0	17 / 10	2026-03-26
1.18.1	16 / 9	2026-01-26
1.14.1	16 / 8	2025-11-20
1.9.4	16 / 8	2025-04-30

v1.24.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.24.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.24.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.23.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.22.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.22.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.