← Home

@ledgerhq/device-transport-kit-react-native-ble

npm Repository Homepage

- [Transport Device Kit React Native BLE Documentation](#transport-device-kit-react-native-ble) - [Description](#description) - [Installation](#installation) - [Usage](#usage) - [Compatibility](#compatibility) - [Pre-requisites](#pre-requisi

7
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

phenry-ledgersergii-shkolingbrahm-ledgerthomas.coudrayldg-github-civbouzonledger-releaser

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): ldg-github-ci is Ledger's CI publisher account with 104 approved packages; transition from ledger-releaser is a legitimate CI migration. ai
dependencies unvetted-dep:purify-ts AI (dependencies): purify-ts is a well-known functional programming library for TypeScript; stable legitimate dependency for this package. ai
phantom-deps phantom-dep:uuid AI (phantom-deps): uuid is declared but used indirectly/in config; no malicious signal, common pattern in SDK packages. ai
phantom-deps phantom-dep:@sentry/minimal AI (phantom-deps): @sentry/minimal declared but not directly imported; likely used transitively or in config. No malicious signal. ai

Versions (showing 7 of 7)

Version Deps Published
1.3.2 4 / 13
1.3.1 4 / 13
1.3.0 4 / 13
1.2.0 4 / 13
1.1.1 4 / 13
1.1.0 4 / 13
1.0.0 4 / 13

v1.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.0

2 findings
HIGH Publisher changed: ledger-releaser → ldg-github-ci (on 2025-10-23) provenance

This version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.