@ledgerhq/device-signer-kit-concordium Apache-2.0 3 versions

@ledgerhq/device-signer-kit-concordium

npm Repository

This module provides the implementation of the Ledger Concordium signer of the Device Management Kit. It enables interaction with the Concordium application on a Ledger device including:

Versions

Apache-2.0

License

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

phenry-ledgersergii-shkolingbrahm-ledgerthomas.coudrayldg-github-civbouzonledger-releaser

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:lib/cjs/internal/app-binder/task/VerifyAddressTask.js	AI (source-diff): Standard minified build output from Ledger's TypeScript SDK; content is readable business logic, not obfuscation.	ai	2026/04/29
source-diff	obfuscated-file:lib/esm/internal/app-binder/task/VerifyAddressTask.js	AI (source-diff): Standard minified ESM build output; same pattern as CJS counterpart, no malicious content.	ai	2026/04/29
source-diff	obfuscated-file:lib/cjs/internal/app-binder/task/VerifyAddressTask.test.js	AI (source-diff): Minified test file bundled with the package; contains vitest test logic, not malicious code.	ai	2026/04/29
source-diff	obfuscated-file:lib/esm/internal/app-binder/task/VerifyAddressTask.test.js	AI (source-diff): Minified ESM test file; same pattern, no malicious content.	ai	2026/04/29
provenance	slsa-provenance	AI (provenance): LedgerHQ uses CI/CD with Sigstore attestation for all releases in this monorepo; SLSA provenance is a positive signal, not a risk.	ai	2026/04/25
phantom-deps	phantom-dep:xstate	AI (phantom-deps): xstate is declared as a runtime dependency in package.json; phantom-dep flag is a packaging quirk, not a security concern for this package.	ai	2026/04/25

Versions (showing 3 of 3)

Version	Deps	Published
0.4.0	5 / 9	2026-05-18
0.3.0	5 / 9	2026-04-28
0.2.0	5 / 8	2026-04-14

v0.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.