@ledgerhq/coin-tezos
Tezos Coin integration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@ledgerhq/devices | AI (phantom-deps): Same-org Ledger dependency; phantom classification is a packaging hygiene issue, not a security risk. | ai | |
| phantom-deps | phantom-dep:invariant | AI (phantom-deps): invariant is a standard assertion library; phantom classification is a packaging hygiene issue, not a security risk. | ai | |
| dependencies | unvetted-dep:@ledgerhq/coin-framework | AI (dependencies): First-party Ledger HQ dependency within the same org scope (@ledgerhq); not a security concern for this package family. | ai | |
| phantom-deps | phantom-dep:rxjs | AI (phantom-deps): rxjs is a legitimate dependency used transitively or in config; no security concern for this established Ledger package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash is a legitimate utility dependency; phantom classification is a packaging hygiene issue, not a security risk. | ai | |
| dependencies | unvetted-dep:@ledgerhq/logs | AI (dependencies): Same-org @ledgerhq/* package; standard logging utility from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@ledgerhq/errors | AI (dependencies): Same-org @ledgerhq/* package; standard error definitions from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@ledgerhq/devices | AI (dependencies): Same-org @ledgerhq/* package; standard device definitions from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@ledgerhq/cryptoassets | AI (dependencies): Same-org @ledgerhq/* package; standard crypto asset definitions from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-network | AI (dependencies): Same-org @ledgerhq/* package; standard network utilities from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@ledgerhq/coin-module-framework | AI (dependencies): Same-org @ledgerhq/* package; coin module framework from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@ledgerhq/ledger-wallet-framework | AI (dependencies): Same-org @ledgerhq/* package; wallet framework from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@ledgerhq/types-live | AI (dependencies): Same-org @ledgerhq/* package; standard type definitions from LedgerHQ monorepo. | ai | |
| dependencies | unvetted-dep:@taquito/rpc | AI (dependencies): Taquito is the official Tezos TypeScript library; expected dependency for a Tezos coin integration. | ai | |
| dependencies | unvetted-dep:@taquito/utils | AI (dependencies): Taquito is the official Tezos TypeScript library; expected dependency for a Tezos coin integration. | ai | |
| dependencies | unvetted-dep:@taquito/taquito | AI (dependencies): Taquito is the official Tezos TypeScript library; expected dependency for a Tezos coin integration. | ai | |
| dependencies | unvetted-dep:@taquito/ledger-signer | AI (dependencies): Taquito Ledger signer is the official Tezos Ledger hardware wallet signer; expected dependency for this package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex encoding/decoding in craftTransaction.js is standard Tezos protocol usage (0x03 watermark prefix for transactions). Not malicious for this package. | ai | |
| provenance | no-provenance | AI (provenance): LedgerHQ publishes via CI bot without Sigstore provenance; consistent across their package ecosystem. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 7.4.0 | 16 / 16 | |
| 7.3.0 | 16 / 16 | |
| 7.2.0 | 16 / 16 | |
| 7.1.0 | 16 / 17 | |
| 7.0.1 | 16 / 17 | |
| 7.0.0 | 16 / 17 | |
| 6.22.0 | 16 / 15 | |
| 6.21.0 | 16 / 15 | |
| 6.20.1 | 16 / 13 | |
| 6.20.0 | 16 / 13 | |
| 6.19.0 | 15 / 13 | |
| 6.18.0 | 15 / 13 | |
| 6.17.0 | 15 / 12 | |
| 6.16.1 | 15 / 12 | |
| 6.16.0 | 15 / 12 | |
| 6.15.0 | 15 / 12 | |
| 6.14.1 | 15 / 12 | |
| 6.14.0 | 15 / 12 | |
| 6.13.0 | 15 / 12 | |
| 6.12.0 | 15 / 11 | |
| 6.11.1 | 15 / 11 | |
| 6.11.0 | 15 / 11 | |
| 6.10.1 | 15 / 11 | |
| 6.10.0 | 15 / 11 | |
| 6.9.0 | 15 / 11 | |
| 6.8.0 | 15 / 11 | |
| 6.7.0 | 15 / 11 | |
| 6.6.0 | 18 / 11 | |
| 6.5.0 | 18 / 11 | |
| 6.4.0 | 18 / 12 | |
| 6.3.0 | 18 / 12 | |
| 6.2.0 | 18 / 12 | |
| 6.1.0 | 18 / 12 | |
| 6.0.0 | 18 / 12 |
v7.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.