@lombard.finance/ts-verifier

Lombard Deposit Address Verifier

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

lombard229lombard_financemeaganlombard

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding is used for Bitcoin/Solana address parsing — core functionality of this deposit address verifier library.	ai	2026/05/21
phantom-deps	phantom-dep:buffer	AI (phantom-deps): Node.js polyfill declared for browser bundling via vite-plugin-node-polyfills; not directly imported in source.	ai	2026/05/21
phantom-deps	phantom-dep:util	AI (phantom-deps): Node.js polyfill for browser bundling; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:vite	AI (phantom-deps): Build tool referenced in config; not a runtime import.	ai	2026/05/21
phantom-deps	phantom-dep:events	AI (phantom-deps): Node.js polyfill for browser bundling; stable false positive.	ai	2026/05/21
phantom-deps	phantom-dep:process	AI (phantom-deps): Node.js polyfill for browser bundling; stable false positive.	ai	2026/05/21
phantom-deps	phantom-dep:typescript	AI (phantom-deps): Build-time type checker referenced in scripts; not a runtime import.	ai	2026/05/21
phantom-deps	phantom-dep:evp_bytestokey	AI (phantom-deps): Transitive polyfill for crypto-browserify; stable false positive.	ai	2026/05/21
phantom-deps	phantom-dep:stream-browserify	AI (phantom-deps): Node.js stream polyfill for browser bundling; stable false positive.	ai	2026/05/21

Versions (showing 6 of 6)

Version	Deps	Published
0.1.7	14 / 21	2026-04-28
0.1.6	14 / 21	2025-12-25
0.1.4	14 / 20	2025-12-02
0.1.3	13 / 19	2025-11-28
0.1.2	7 / 4	2025-11-20
0.1.1	6 / 4	2025-07-03