@metamask/assets-controllers
Controllers which manage interactions involving ERC-20, ERC-721, and ERC-1155 tokens (including NFTs)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established MetaMask org package; lack of provenance is consistent across all prior versions. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): Type-only package declared as dep for type resolution; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/bn.js | AI (phantom-deps): Type-only package declared as dep for type resolution; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@ethersproject/abi | AI (phantom-deps): Referenced in config/build files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:bitcoin-address-validation | AI (phantom-deps): Likely used indirectly via re-exports; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@metamask/multichain-account-service | AI (phantom-deps): Same-org dependency; stable false positive for this package. | ai |
Versions (showing 57 of 57)
| Version | Deps | Published |
|---|---|---|
| 108.5.0 | 46 / 21 | |
| 108.4.0 | 46 / 21 | |
| 108.3.0 | 46 / 21 | |
| 108.2.0 | 46 / 21 | |
| 108.1.0 | 46 / 21 | |
| 108.0.0 | 46 / 21 | |
| 107.0.0 | 46 / 21 | |
| 106.0.1 | 46 / 21 | |
| 106.0.0 | 46 / 21 | |
| 105.1.0 | 45 / 21 | |
| 105.0.0 | 45 / 21 | |
| 104.3.0 | 45 / 21 | |
| 104.2.0 | 45 / 21 | |
| 104.1.0 | 45 / 21 | |
| 104.0.0 | 45 / 21 | |
| 103.1.1 | 45 / 21 | |
| 103.1.0 | 45 / 21 | |
| 103.0.0 | 45 / 21 | |
| 102.0.0 | 45 / 21 | |
| 101.0.1 | 45 / 21 | |
| 101.0.0 | 45 / 21 | |
| 100.2.1 | 45 / 20 | |
| 100.2.0 | 45 / 20 | |
| 100.1.0 | 45 / 20 | |
| 100.0.3 | 45 / 20 | |
| 100.0.2 | 45 / 20 | |
| 100.0.1 | 45 / 20 | |
| 100.0.0 | 45 / 20 | |
| 99.4.0 | 45 / 21 | |
| 99.3.2 | 45 / 21 | |
| 99.3.1 | 45 / 21 | |
| 99.3.0 | 45 / 21 | |
| 99.2.0 | 45 / 21 | |
| 99.1.0 | 45 / 21 | |
| 99.0.0 | 45 / 21 | |
| 98.0.0 | 45 / 21 | |
| 97.0.0 | 44 / 21 | |
| 96.0.0 | 43 / 21 | |
| 95.3.0 | 43 / 21 | |
| 95.2.0 | 43 / 21 | |
| 95.1.0 | 43 / 21 | |
| 95.0.0 | 43 / 21 | |
| 94.1.0 | 43 / 21 | |
| 94.0.0 | 43 / 21 | |
| 93.1.0 | 43 / 21 | |
| 93.0.0 | 43 / 21 | |
| 92.0.0 | 43 / 21 | |
| 91.0.0 | 30 / 33 | |
| 90.0.0 | 30 / 33 | |
| 89.0.1 | 30 / 33 | |
| 89.0.0 | 30 / 33 | |
| 88.0.0 | 30 / 33 | |
| 87.1.1 | 30 / 33 | |
| 87.1.0 | 30 / 33 | |
| 87.0.0 | 30 / 33 | |
| 86.0.0 | 30 / 32 | |
| 85.0.0 | 30 / 32 |
v108.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v108.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v108.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v108.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v108.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v108.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v107.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v106.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v106.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v105.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v105.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v104.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v104.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v104.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v104.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v103.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v103.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v103.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v102.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v101.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v101.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v100.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v100.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v100.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v100.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v100.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v100.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v100.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v99.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v99.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v99.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v99.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v99.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v99.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v99.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v98.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v97.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v96.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v95.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v95.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v95.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v95.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v94.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v94.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v93.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v93.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v92.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v91.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v90.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v89.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v89.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v88.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v87.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v87.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v87.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v86.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v85.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.