@swapkit/wallets
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/src/passkeys/index.js | AI (source-diff): Standard minified ESM build output; same rationale as CJS counterpart. | ai | |
| source-diff | obfuscated-file:dist/src/passkeys/index.cjs | AI (source-diff): Standard minified build output from SwapKit's bun build pipeline; readable logic, no obfuscation indicators. | ai | |
| dependencies | unvetted-dep:@near-wallet-selector/meteor-wallet-app | AI (dependencies): Official NEAR wallet-selector monorepo package; legitimate wallet integration. | ai | |
| dependencies | unvetted-dep:@near-wallet-selector/okx-wallet | AI (dependencies): Official NEAR wallet-selector monorepo package; legitimate wallet integration. | ai | |
| dependencies | unvetted-dep:@near-wallet-selector/hot-wallet | AI (dependencies): Official NEAR wallet-selector monorepo package; legitimate wallet integration. | ai | |
| dependencies | unvetted-dep:@near-wallet-selector/near-mobile-wallet | AI (dependencies): Official NEAR wallet-selector monorepo package; legitimate wallet integration. | ai | |
| dependencies | unvetted-dep:@near-wallet-selector/nightly | AI (dependencies): Official NEAR wallet-selector monorepo package; legitimate wallet integration. | ai | |
| phantom-deps | phantom-dep:@scure/bip39 | AI (phantom-deps): Multi-wallet library; crypto deps referenced in config for platform-specific wallet integrations. | ai | |
| phantom-deps | phantom-dep:blakejs | AI (phantom-deps): Multi-wallet library; crypto deps referenced in config for platform-specific wallet integrations. | ai | |
| phantom-deps | phantom-dep:@scure/base | AI (phantom-deps): Multi-wallet library; crypto deps referenced in config for platform-specific wallet integrations. | ai | |
| phantom-deps | phantom-dep:near-api-js | AI (phantom-deps): Multi-wallet library; wallet-specific deps referenced in config for optional integrations. | ai | |
| phantom-deps | phantom-dep:@cosmjs/crypto | AI (phantom-deps): Multi-wallet library; wallet-specific deps referenced in config for optional integrations. | ai | |
| phantom-deps | phantom-dep:@trezor/connect-web | AI (phantom-deps): Multi-wallet library; wallet-specific deps referenced in config for optional integrations. | ai | |
| phantom-deps | phantom-dep:ripple-binary-codec | AI (phantom-deps): Multi-wallet library; wallet-specific deps referenced in config for optional integrations. | ai | |
| dependencies | unvetted-dep:xumm | AI (dependencies): Xumm is the official XRPL wallet SDK; expected dependency for this wallet aggregator package. | ai | |
| dependencies | unvetted-dep:@near-wallet-selector/modal-ui-js | AI (dependencies): NEAR wallet selector UI; expected for NEAR wallet integration. | ai | |
| dependencies | unvetted-dep:@passkeys/react | AI (dependencies): Passkeys React SDK; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:@passkeys/core | AI (dependencies): Passkeys SDK for wallet auth; consistent with package purpose. | ai | |
| dependencies | unvetted-dep:@near-wallet-selector/bitget-wallet | AI (dependencies): NEAR wallet selector Bitget adapter; expected for NEAR wallet integration. | ai | |
| phantom-deps | phantom-dep:@near-js/transactions | AI (phantom-deps): Declared as transitive/type dep for NEAR integration; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@radixdlt/babylon-gateway-api-sdk | AI (phantom-deps): Declared as peer/optional dep for Radix integration; referenced in config, not a security concern. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decode is used only to convert a string to Buffer for blake2b hashing — no payload hiding. | ai | |
| phantom-deps | phantom-dep:@near-wallet-selector/bitget-wallet | AI (phantom-deps): Wallet selector plugin declared for NEAR integration; config-only reference is expected pattern. | ai |
Versions (showing 84 of 84)
| Version | Deps | Published |
|---|---|---|
| 4.8.23 | 27 / 22 | |
| 4.8.22 | 27 / 22 | |
| 4.8.21 | 27 / 22 | |
| 4.8.20 | 27 / 22 | |
| 4.8.19 | 27 / 22 | |
| 4.8.18 | 27 / 22 | |
| 4.8.17 | 27 / 22 | |
| 4.8.16 | 27 / 22 | |
| 4.8.15 | 27 / 22 | |
| 4.8.14 | 27 / 22 | |
| 4.8.13 | 27 / 22 | |
| 4.8.12 | 27 / 22 | |
| 4.8.11 | 27 / 22 | |
| 4.8.10 | 27 / 22 | |
| 4.8.9 | 27 / 22 | |
| 4.8.8 | 27 / 22 | |
| 4.8.7 | 27 / 22 | |
| 4.8.6 | 27 / 22 | |
| 4.8.5 | 27 / 22 | |
| 4.8.4 | 27 / 22 | |
| 4.8.3 | 27 / 22 | |
| 4.8.2 | 27 / 22 | |
| 4.8.1 | 27 / 22 | |
| 4.8.0 | 27 / 22 | |
| 4.7.0 | 27 / 22 | |
| 4.6.4 | 26 / 22 | |
| 4.6.3 | 26 / 22 | |
| 4.6.2 | 26 / 22 | |
| 4.6.1 | 26 / 22 | |
| 4.6.0 | 26 / 22 | |
| 4.3.11 | 25 / 22 | |
| 4.3.10 | 25 / 22 | |
| 4.3.9 | 25 / 22 | |
| 4.3.8 | 25 / 22 | |
| 4.3.7 | 25 / 22 | |
| 4.3.6 | 25 / 22 | |
| 4.3.5 | 25 / 22 | |
| 4.3.4 | 25 / 22 | |
| 4.3.3 | 25 / 22 | |
| 4.3.2 | 25 / 22 | |
| 4.2.10 | 29 / 29 | |
| 4.2.9 | 29 / 29 | |
| 4.2.8 | 29 / 29 | |
| 4.2.7 | 29 / 29 | |
| 4.2.6 | 29 / 29 | |
| 4.2.5 | 29 / 29 | |
| 4.2.4 | 29 / 29 | |
| 4.2.3 | 29 / 29 | |
| 4.2.2 | 37 / 37 | |
| 4.2.1 | 37 / 37 | |
| 4.2.0 | 37 / 37 | |
| 4.1.31 | 27 / 27 | |
| 4.1.30 | 27 / 27 | |
| 4.1.29 | 27 / 27 | |
| 4.1.28 | 27 / 27 | |
| 4.1.27 | 27 / 26 | |
| 4.1.26 | 27 / 26 | |
| 4.1.25 | 27 / 26 | |
| 4.1.24 | 27 / 26 | |
| 4.1.23 | 27 / 26 | |
| 4.1.22 | 27 / 26 | |
| 4.1.21 | 27 / 26 | |
| 4.1.20 | 27 / 26 | |
| 4.1.19 | 27 / 26 | |
| 4.1.18 | 27 / 26 | |
| 4.1.17 | 27 / 26 | |
| 4.1.16 | 27 / 26 | |
| 4.1.15 | 27 / 26 | |
| 4.1.14 | 27 / 26 | |
| 4.1.13 | 27 / 26 | |
| 4.1.12 | 27 / 26 | |
| 4.1.11 | 27 / 26 | |
| 4.1.10 | 27 / 26 | |
| 4.1.9 | 27 / 26 | |
| 4.1.8 | 27 / 26 | |
| 4.1.7 | 27 / 26 | |
| 4.1.6 | 27 / 26 | |
| 4.1.5 | 27 / 26 | |
| 4.1.4 | 27 / 26 | |
| 4.1.3 | 27 / 26 | |
| 4.1.2 | 27 / 26 | |
| 4.1.1 | 27 / 26 | |
| 4.1.0 | 27 / 26 | |
| 4.0.0 | 27 / 26 |
v4.8.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.