@ledgerhq/live-cli
ledger-live CLI version
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:superagent | AI (phantom-deps): Bundled CLI; deps inlined into build output. | ai | |
| phantom-deps | phantom-dep:qrloop | AI (phantom-deps): Stable false positive; qrloop used indirectly in CLI bundle. | ai | |
| phantom-deps | phantom-dep:command-line-args | AI (phantom-deps): Stable false positive; command-line-args used indirectly. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:asciichart | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:body-parser | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:bigint-buffer | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:qrcode-terminal | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:got | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:usb | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:cors | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:rxjs | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:bip39 | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:winston | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:node-hid | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:invariant | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:purify-ts | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Monorepo CLI; deps used transitively in bundled output, not direct imports. | ai | |
| provenance | no-provenance | AI (provenance): LedgerHQ is an established org; lack of Sigstore provenance is common and not a disqualifier here. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard Solana VersionedTransaction deserialization from base64. Expected pattern in a hardware wallet CLI. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Bundler artifact (rslib) using require('url'.replace('','')) to reference Node built-ins without static analysis interference. Not malicious. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hardcoded zero-byte hex literals used for protocol validation assertions, not payload decoding. False positive for this crypto wallet CLI. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in a Proxy handler is idiomatic JavaScript, not obfuscation. Common pattern in bundled code. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 24.39.0 | 28 / 18 | |
| 24.38.0 | 24 / 16 | |
| 24.28.0 | 23 / 18 | |
| 24.27.1 | 23 / 18 | |
| 24.27.0 | 23 / 18 | |
| 24.19.4 | 23 / 17 | |
| 24.18.6 | 21 / 17 | |
| 24.18.4 | 21 / 17 | |
| 24.18.1 | 21 / 17 | |
| 24.18.0 | 21 / 17 |
v24.39.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.19.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.18.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.18.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.