@polkadot/primitives-codec

Encoding for primitives as runtime execution inputs

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jacogr

Keywords

Polkadot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @polkadot/util-keyring is a same-org package from the same trusted polkadot-js publisher; adding it is a natural ecosystem dependency, not a supply chain risk.	ai	2026/04/24
source-diff	encoded-string-file:block/encode.spec.js	AI (source-diff): Long byte array in test file is a legitimate encoding test vector (expected Uint8Array output), not a malicious payload. Pattern is stable for this test-heavy codec package.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/primitives	AI (phantom-deps): Same-org sibling package in the polkadot-js monorepo; declared as a dependency and used transitively. Not a real phantom dep risk.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/util-keyring	AI (phantom-deps): Same-org sibling dependency declared but not directly imported; consistent with polkadot-js monorepo packaging patterns. Not a security concern.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Established package from highly trusted publisher (jacogr, 1163 approvals). Lack of provenance attestation is not a meaningful risk signal here.	ai	2026/04/24

Versions (showing 51 of 112)

View all versions

Version	Deps	Published
0.25.3	6 / 0	2018-06-27
0.25.2	6 / 0	2018-06-27
0.25.1	6 / 0	2018-06-26
0.20.3	6 / 0	2018-06-26
0.20.2	6 / 0	2018-06-26
0.20.1	6 / 0	2018-06-26
0.19.5	6 / 0	2018-06-25
0.19.4	6 / 0	2018-06-24
0.19.3	6 / 0	2018-06-24
0.19.2	6 / 0	2018-06-24
0.19.1	6 / 0	2018-06-23
0.18.2	6 / 0	2018-06-20
0.17.28	6 / 0	2018-06-20
0.17.27	6 / 0	2018-06-20
0.17.26	6 / 0	2018-06-20
0.17.25	6 / 0	2018-06-13
0.17.24	6 / 0	2018-06-12
0.17.23	6 / 0	2018-06-12
0.17.22	6 / 0	2018-06-12
0.17.21	6 / 0	2018-06-11
0.17.20	6 / 0	2018-06-11
0.17.19	6 / 0	2018-06-08
0.17.18	6 / 0	2018-06-07
0.17.17	6 / 0	2018-06-04
0.17.16	6 / 0	2018-06-04
0.17.15	6 / 0	2018-06-04
0.17.14	6 / 0	2018-06-03
0.17.13	6 / 0	2018-06-03
0.17.12	6 / 0	2018-06-03
0.17.11	6 / 0	2018-06-02
0.17.10	6 / 0	2018-06-02
0.17.9	6 / 0	2018-06-01
0.17.8	6 / 0	2018-06-01
0.17.7	6 / 0	2018-05-31
0.17.6	6 / 0	2018-05-31
0.17.5	6 / 0	2018-05-30
0.17.4	6 / 0	2018-05-29
0.17.3	6 / 0	2018-05-29
0.17.2	6 / 0	2018-05-29
0.17.1	6 / 0	2018-05-29
0.16.15	6 / 0	2018-05-28
0.16.14	6 / 0	2018-05-28
0.16.13	6 / 0	2018-05-28
0.16.12	6 / 0	2018-05-27
0.16.11	6 / 0	2018-05-27
0.16.10	6 / 0	2018-05-27
0.16.9	6 / 0	2018-05-25
0.16.8	6 / 0	2018-05-25
0.16.7	6 / 0	2018-05-25
0.16.6	6 / 0	2018-05-25
0.16.5	6 / 0	2018-05-24

v0.25.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.25.2

2 findings

HIGH Long encoded string in modified file: block/encode.spec.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.