@ledgerhq/coin-icon — Greenflagged

Ledger Icon Coin integration

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

phenry-ledgersergii-shkolingbrahm-ledgerthomas.coudrayldg-github-civbouzonledger-releaser

Keywords

LedgerLedgerWalleticxIconHardware Wallet

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:icon-sdk-js	AI (dependencies): icon-sdk-js is the official ICON blockchain SDK; its use in a Ledger ICON coin integration module is expected and appropriate across all versions.	ai	2026/04/26
dependencies	unvetted-dep:@ledgerhq/coin-framework	AI (dependencies): First-party Ledger HQ dependency from the same org; its use in any @ledgerhq/* coin module is expected and stable.	ai	2026/04/26
dependencies	unvetted-dep:@ledgerhq/devices	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/live-env	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/types-live	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/cryptoassets	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/live-network	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/live-promise	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/logs	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/coin-module-framework	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/ledger-wallet-framework	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
phantom-deps	phantom-dep:@ledgerhq/live-env	AI (phantom-deps): Same-org package; phantom dep pattern is expected in monorepo setups where deps are declared but used indirectly.	ai	2026/04/25
phantom-deps	phantom-dep:@ledgerhq/live-promise	AI (phantom-deps): Same-org package; phantom dep pattern is expected in monorepo setups where deps are declared but used indirectly.	ai	2026/04/25
phantom-deps	phantom-dep:prando	AI (phantom-deps): prando is a legitimate PRNG library; phantom dep in config/test context is benign for this package.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/types-cryptoassets	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/errors	AI (dependencies): Same-org @ledgerhq scoped package from the ledger-live monorepo; unvetted status is a registry artifact, not a risk signal.	ai	2026/04/25