@ledgerhq/live-common
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@ledgerhq/live-countervalues-react | AI (phantom-deps): Same-org scoped package; phantom-dep heuristic is unreliable for monorepo patterns. | ai | |
| dependencies | unvetted-dep:@ledgerhq/device-intent | AI (dependencies): Same LedgerHQ org scope; consistent with other accepted @ledgerhq/* deps in this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Large org package with CI publisher; maintainer rotation is routine, not a takeover signal. | ai | |
| source-diff | encoded-string-file:lib-es/families/solana/setup.test.js | AI (source-diff): Long strings are Base58/hex cryptographic test vectors in unit test files, not malicious payloads. | ai | |
| source-diff | encoded-string-file:lib/families/solana/setup.test.js | AI (source-diff): Same test vector pattern in CJS build of the same test file; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-nft | AI (dependencies): Same LedgerHQ org scope; consistent with the package's established dependency pattern. | ai | |
| phantom-deps | phantom-dep:@dfinity/principal | AI (phantom-deps): ICP coin support; same pattern as @dfinity/agent. | ai | |
| phantom-deps | phantom-dep:@ledgerhq/hw-app-eth | AI (phantom-deps): Same org scope; large monorepo package with many conditional imports, stable false positive. | ai | |
| phantom-deps | phantom-dep:@dfinity/candid | AI (phantom-deps): ICP coin support; same pattern as @dfinity/agent. | ai | |
| phantom-deps | phantom-dep:@dfinity/agent | AI (phantom-deps): ICP coin support; referenced in config/type files, stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@ledgerhq/hw-app-concordium | AI (dependencies): First-party @ledgerhq scoped package from same org; consistent with monorepo pattern. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-signer-cosmos | AI (dependencies): First-party @ledgerhq scoped signer package; consistent with org's multi-chain architecture. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-signer-hyperliquid | AI (dependencies): First-party @ledgerhq scoped signer package; consistent with org's multi-chain architecture. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-signer-celo | AI (dependencies): First-party @ledgerhq scoped signer package; consistent with org's multi-chain architecture. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @ledgerhq/client-ids is same-org dep; addition is routine for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large monorepo library regularly adds many files per release; not indicative of injected code. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-signer-aleo | AI (dependencies): Same-org LedgerHQ package added as part of Aleo coin integration; consistent with package's pattern of coin-specific signers. | ai | |
| phantom-deps | phantom-dep:@types/bchaddrjs | AI (phantom-deps): @types packages are loaded by convention in TypeScript projects; stable false positive. | ai | |
| phantom-deps | phantom-dep:i18next | AI (phantom-deps): i18next is referenced in config files; stable false positive for this library. | ai | |
| phantom-deps | phantom-dep:@types/qs | AI (phantom-deps): @types packages are loaded by convention in TypeScript projects; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/pako | AI (phantom-deps): @types packages are loaded by convention in TypeScript projects; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/redux-actions | AI (phantom-deps): @types packages are loaded by convention in TypeScript projects; stable false positive. | ai | |
| phantom-deps | phantom-dep:bs58 | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ton/crypto | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:bech32 | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ton/core | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:@oxlint/binding-darwin-x64 | AI (phantom-deps): Optional native binary for oxlint linter; not directly imported in JS by design. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@oxlint/binding-darwin-arm64 | AI (phantom-deps): Optional native binary for oxlint linter; not directly imported in JS by design. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@oxlint/binding-linux-x64-gnu | AI (phantom-deps): Optional native binary for oxlint linter; not directly imported in JS by design. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@oxlint/binding-win32-x64-msvc | AI (phantom-deps): Optional native binary for oxlint linter; not directly imported in JS by design. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:rlp | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:tsx | AI (phantom-deps): Used as a script runner (test-account-migration script); not directly imported but legitimately used. | ai | |
| phantom-deps | phantom-dep:bip32 | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:bip39 | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): Used in config/scripts context in this large multi-coin library; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ledgerhq/hw-transport-mocker | AI (phantom-deps): Same-org test utility; used in test config context, not directly imported in main source. Stable false positive. | ai | |
| dependencies | unvetted-dep:@types/qs | AI (dependencies): @types/qs is a standard TypeScript type definition package for the qs library; no security risk. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-signer-solana | AI (dependencies): Same-org @ledgerhq scoped package; part of the official Ledger Live ecosystem. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-signer-canton | AI (dependencies): Same-org @ledgerhq scoped package; part of the official Ledger Live ecosystem. | ai | |
| dependencies | unvetted-dep:@ledgerhq/wallet-api-server | AI (dependencies): Same-org @ledgerhq scoped package; part of the official Ledger Live ecosystem. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-signer-evm | AI (dependencies): Same-org @ledgerhq scoped package; part of the official Ledger Live ecosystem. | ai | |
| dependencies | unvetted-dep:@ledgerhq/live-dmk-shared | AI (dependencies): Same-org @ledgerhq scoped package; part of the official Ledger Live ecosystem. | ai | |
| dependencies | unvetted-dep:@ledgerhq/crypto-icons-ui | AI (dependencies): Same-org @ledgerhq scoped package; part of the official Ledger Live ecosystem. | ai | |
| dependencies | unvetted-dep:@zondax/ledger-cosmos-js | AI (dependencies): Zondax is a known Ledger hardware wallet SDK partner; this is an expected dependency for Cosmos support. | ai | |
| dependencies | unvetted-dep:@ledgerhq/hw-app-cosmos | AI (dependencies): Same-org @ledgerhq scoped package; part of the official Ledger hardware wallet SDK ecosystem. | ai | |
| provenance | no-provenance | AI (provenance): LedgerHQ's CI publisher has 41 approved packages; lack of Sigstore provenance is common and not a disqualifier for this established org. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reading SEED* env vars in bot/portfolio test utilities is expected for Ledger Live's internal testing framework, not exfiltration. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in e2e/runCli.js to invoke the Ledger Live CLI binary for end-to-end testing — expected and scoped to test utilities. | ai | |
| semgrep | semgrep:shady-links-tlds | AI (semgrep): swaps.xyz is a legitimate swap provider integration; .xyz TLD is common for crypto/fintech services. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in e2e CLI utilities is standard JavaScript, not obfuscation. Used for safe property access on parsed JSON. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is ubiquitous in cryptographic/blockchain operations; expected across all coin implementations in this SDK. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is fundamental to transaction signing in a hardware wallet SDK; used for Solana transaction buffers. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 0.0.0.0:3000 is a localhost development placeholder for the Alpaca bridge — standard dev tooling in a hardware wallet SDK. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Finding is in a test file (helpers.test.ts) that explicitly tests rejection of file:///etc/passwd URLs — it's a security test, not credential harvesting. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 34.71.0 | 150 / 47 | |
| 34.70.0 | 149 / 47 | |
| 34.69.0 | 149 / 46 | |
| 34.68.0 | 150 / 46 | |
| 34.67.0 | 150 / 46 | |
| 34.66.0 | 145 / 48 | |
| 34.65.0 | 143 / 48 | |
| 34.64.0 | 143 / 48 | |
| 34.60.0 | 140 / 48 | |
| 34.59.0 | 139 / 47 | |
| 34.58.0 | 137 / 47 | |
| 34.57.0 | 137 / 47 | |
| 34.56.0 | 135 / 48 | |
| 34.55.2 | 136 / 48 | |
| 34.55.1 | 136 / 48 | |
| 34.55.0 | 136 / 48 | |
| 34.54.1 | 137 / 49 | |
| 34.54.0 | 137 / 49 | |
| 34.53.0 | 136 / 49 | |
| 34.52.1 | 136 / 49 | |
| 34.52.0 | 136 / 49 | |
| 34.50.0 | 136 / 49 | |
| 34.46.0 | 132 / 49 | |
| 34.42.1 | 129 / 49 | |
| 34.41.0 | 129 / 49 | |
| 34.40.1 | 129 / 49 | |
| 34.38.1 | 129 / 49 | |
| 34.35.1 | 128 / 49 | |
| 34.35.0 | 128 / 49 | |
| 34.34.0 | 130 / 49 | |
| 34.31.2 | 130 / 49 |
v34.71.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.70.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.69.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 86 | it("should reject file: URLs", () => { 87 | const inputs = { > 88 | goToURL: "file:///etc/passwd", 89 | }; 90 | // @ts-expect-error - test mock object doesn't have all LiveAppManifest properties
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 142 | expect(isUrlAllowedByManifestDomains("javascript:alert(1)", ["https://*"])).toBe(false); 143 | expect(isUrlAllowedByManifestDomains("data:text/html,<script>", ["https://*"])).toBe(false); > 144 | expect(isUrlAllowedByManifestDomains("file:///etc/passwd", ["https://*"])).toBe(false); 145 | }); 146 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v34.68.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v34.67.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.66.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v34.65.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.64.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.59.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.58.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.57.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.56.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.55.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.55.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.52.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.50.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.42.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.41.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.40.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.38.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v34.35.1
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.35.0
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v34.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v34.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.