@ledgerhq/coin-polkadot

Ledger Polkadot Coin integration

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

phenry-ledgersergii-shkolingbrahm-ledgerthomas.coudrayldg-github-civbouzonledger-releaser

Keywords

LedgerLedgerWalletdotPolkadotHardware Wallet

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@ledgerhq/coin-framework	AI (dependencies): Sibling LedgerHQ package from the same monorepo; unvetted status is a pipeline artifact, not a security concern for this well-established org.	ai	2026/04/26
dependencies	unvetted-dep:@ledgerhq/devices	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/cryptoassets	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/live-network	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/types-cryptoassets	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/coin-module-framework	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/ledger-wallet-framework	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/logs	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/errors	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
dependencies	unvetted-dep:@ledgerhq/types-live	AI (dependencies): Internal @ledgerhq sibling package from the same monorepo; expected dependency for this coin integration module.	ai	2026/04/25
phantom-deps	phantom-dep:lodash	AI (phantom-deps): lodash is referenced in config files only, not directly imported at runtime. Safe for this package.	ai	2026/04/25
phantom-deps	phantom-dep:@ledgerhq/devices	AI (phantom-deps): Same org scope package; phantom dep finding is expected in a monorepo context where transitive usage may occur.	ai	2026/04/25
phantom-deps	phantom-dep:@polkadot/api-derive	AI (phantom-deps): Referenced in config files only; @polkadot/api-derive is a known Polkadot ecosystem package used transitively.	ai	2026/04/25
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding in signTransaction.js is standard cryptographic practice for converting hardware wallet signatures to bytes for Polkadot extrinsics. Not a malicious payload indicator.	ai	2026/04/25
phantom-deps	phantom-dep:expect	AI (phantom-deps): expect is a test dependency referenced in jest config files, not a runtime import. Safe for this package.	ai	2026/04/25