@ledgerhq/coin-internet_computer
Ledger Internet Computer integration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:expect | AI (phantom-deps): expect is a test utility referenced in config; not a runtime concern for this package. | ai | |
| phantom-deps | phantom-dep:@ledgerhq/devices | AI (phantom-deps): Same-org dep; likely used transitively or in type declarations, stable false positive. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is used for deserializing signed ICP transaction blobs before broadcast — standard blockchain wallet operation, not obfuscation. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is a utility function for message encoding conversion in a crypto wallet library — expected and benign. | ai | |
| provenance | no-provenance | AI (provenance): Established LedgerHQ monorepo package with 499 days history and 396 versions; lack of Sigstore provenance is not a meaningful risk signal here. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 1.22.3 | 13 / 15 | |
| 1.22.2 | 13 / 15 | |
| 1.22.1 | 13 / 15 | |
| 1.22.0 | 13 / 15 | |
| 1.21.2 | 13 / 11 | |
| 1.21.1 | 13 / 11 | |
| 1.21.0 | 13 / 11 | |
| 1.20.0 | 13 / 11 | |
| 1.19.1 | 13 / 9 | |
| 1.19.0 | 13 / 9 | |
| 1.18.0 | 12 / 9 | |
| 1.17.0 | 12 / 9 | |
| 1.16.2 | 12 / 8 | |
| 1.16.1 | 12 / 8 | |
| 1.16.0 | 12 / 8 | |
| 1.15.2 | 12 / 8 | |
| 1.15.1 | 12 / 8 | |
| 1.15.0 | 12 / 8 | |
| 1.14.0 | 12 / 8 | |
| 1.13.0 | 12 / 7 | |
| 1.12.1 | 12 / 7 | |
| 1.12.0 | 12 / 7 | |
| 1.11.2 | 12 / 7 | |
| 1.11.1 | 12 / 7 | |
| 1.11.0 | 12 / 7 | |
| 1.10.0 | 12 / 7 | |
| 1.9.0 | 18 / 7 | |
| 1.8.1 | 18 / 7 | |
| 1.8.0 | 18 / 7 | |
| 1.7.16 | 18 / 7 | |
| 1.7.15 | 18 / 7 | |
| 1.7.14 | 18 / 7 | |
| 1.7.13 | 18 / 7 | |
| 1.7.8 | 18 / 8 | |
| 1.7.7 | 18 / 8 | |
| 1.7.5 | 18 / 8 | |
| 1.7.4 | 18 / 8 | |
| 1.7.3 | 18 / 8 |
v1.22.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.