@ledgerhq/context-module
> [!CAUTION] > This is still under development and we are free to make new interfaces which may lead to Device Management Kit breaking changes.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/cjs/src/modules/multichain/transaction-check/loaders/SolanaTransactionCheckLoader.test.js | AI (source-diff): Minified test bundle output from build tooling; content is plainly readable unit tests, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:lib/esm/src/modules/multichain/transaction-check/loaders/SolanaTransactionCheckLoader.test.js | AI (source-diff): Same as CJS counterpart — ESM minified test bundle, not obfuscated malicious code. | ai | |
| source-diff | obfuscated-file:lib/esm/src/modules/ethereum/calldata/domain/CalldataContextLoader.test.js | AI (source-diff): Minified test artifact from bundler build; not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/modules/ethereum/calldata/domain/CalldataContextLoader.test.js | AI (source-diff): Minified test artifact from bundler build; not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/modules/ethereum/calldata/domain/CalldataContextLoader.js | AI (source-diff): Minified CJS build artifact from bundler; readable logic visible in sample. Stable for this package. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/modules/concordium/account-ownership/domain/AccountOwnershipContextLoader.test.js | AI (source-diff): Minified test artifact from bundler build; not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:lib/esm/src/modules/concordium/account-ownership/domain/AccountOwnershipContextLoader.test.js | AI (source-diff): Minified test artifact from bundler build; not obfuscated malware. Stable pattern for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established Ledger SDK package; missing description is cosmetic, not a risk signal. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/account-ownership/data/HttpAccountOwnershipDataSource.js | AI (source-diff): Minified CJS build artifact from LedgerHQ build pipeline; content is readable HTTP data source logic. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/account-ownership/domain/AccountOwnershipContextLoader.test.js | AI (source-diff): Minified test bundle from LedgerHQ build pipeline; contains readable test logic, not malicious code. | ai | |
| source-diff | obfuscated-file:lib/esm/src/account-ownership/domain/AccountOwnershipContextLoader.test.js | AI (source-diff): Minified test bundle from LedgerHQ build pipeline; contains readable test logic, not malicious code. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/account-ownership/data/HttpAccountOwnershipDataSource.test.js | AI (source-diff): Minified test bundle; contains readable test logic for HTTP data source. | ai | |
| source-diff | obfuscated-file:lib/esm/src/account-ownership/data/HttpAccountOwnershipDataSource.test.js | AI (source-diff): Minified ESM test bundle; contains readable test logic for HTTP data source. | ai | |
| source-diff | encoded-string-file:lib/cjs/src/calldata/data/HttpCalldataDescriptorDataSource.test.js | AI (source-diff): Long hex strings are cryptographic test vectors (signatures, descriptors) — not encoded payloads. | ai | |
| source-diff | encoded-string-file:lib/esm/src/calldata/data/HttpCalldataDescriptorDataSource.test.js | AI (source-diff): Long hex strings are cryptographic test vectors (signatures, descriptors) — not encoded payloads. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/gated-signing/domain/GatedSigningTypedDataContextLoader.test.js | AI (source-diff): Minified CJS test file from Ledger's standard build pipeline. Content is readable test logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:lib/esm/src/gated-signing/domain/GatedSigningContextLoader.test.js | AI (source-diff): Minified ESM test file output from Ledger's standard TypeScript build pipeline. Content is readable test logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/gated-signing/domain/GatedSigningContextLoader.test.js | AI (source-diff): Minified test file output from Ledger's standard TypeScript build pipeline. Content is readable test logic, not malicious obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/gated-signing/data/HttpGatedDescriptorDataSource.test.js | AI (source-diff): Minified CJS test file from Ledger's standard build pipeline. Content is readable test logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:lib/esm/src/gated-signing/data/HttpGatedDescriptorDataSource.js | AI (source-diff): Minified ESM data source implementation. Makes GET requests to Ledger's own CAL API. No malicious patterns present. | ai | |
| source-diff | obfuscated-file:lib/esm/src/gated-signing/data/HttpGatedDescriptorDataSource.test.js | AI (source-diff): Minified ESM test file from Ledger's standard build pipeline. Content is readable test logic, not malicious obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 36 new files correspond to a new gated-signing feature module with CJS/ESM/types build outputs. Consistent with Ledger's monorepo build pattern. No injected or suspicious code. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/gated-signing/data/HttpGatedDescriptorDataSource.js | AI (source-diff): Minified CJS data source implementation. Makes GET requests to Ledger's own CAL API. No malicious patterns present. | ai | |
| source-diff | obfuscated-file:lib/esm/src/gated-signing/domain/GatedSigningTypedDataContextLoader.test.js | AI (source-diff): Minified ESM test file from Ledger's standard build pipeline. Content is readable test logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:lib/cjs/src/gated-signing/domain/GatedSigningTypedDataContextLoader.js | AI (source-diff): Minified CJS implementation file from Ledger's standard build pipeline. Content is transparent business logic making GET requests to Ledger's own CAL API. | ai | |
| dependencies | unvetted-dep:purify-ts | AI (dependencies): purify-ts is a legitimate functional programming library for TypeScript, pinned to a specific version. No malicious history; stable dependency for this package. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 6 / 8 | |
| 2.0.0 | 5 / 8 | |
| 1.17.1 | 5 / 8 | |
| 1.17.0 | 5 / 8 | |
| 1.16.0 | 6 / 8 | |
| 1.15.0 | 6 / 8 | |
| 1.14.1 | 6 / 8 | |
| 1.14.0 | 6 / 8 | |
| 1.13.0 | 6 / 8 | |
| 1.12.0 | 6 / 8 | |
| 1.11.1 | 6 / 8 | |
| 1.11.0 | 6 / 8 | |
| 1.10.0 | 6 / 8 | |
| 1.9.0 | 6 / 8 | |
| 1.8.1 | 6 / 8 | |
| 1.8.0 | 6 / 8 | |
| 1.7.0 | 6 / 8 | |
| 1.6.0 | 6 / 8 | |
| 1.4.0 | 6 / 8 |
v2.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.0.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.15.0
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.