@taquito/ledger-signer
8
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
jevonearthroxaneletourneauhui-an.yanggimbrailo.ecad
Keywords
taquitotezostypescriptblockchainwalletledgersigner
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): buffer is used via Buffer.from() in the signing code; declared as a runtime dep for browser polyfill. Stable false positive for this package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Buffer.from(bytes, 'hex') is standard hex-to-buffer conversion for preparing cryptographic signing payloads for Ledger hardware; not a malicious pattern for this package. | ai | |
| phantom-deps | phantom-dep:@taquito/taquito | AI (phantom-deps): Same-org sibling package from the taquito monorepo; phantom dep is a packaging artifact, not a supply chain risk. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 24.3.0 | 6 / 23 | |
| 24.2.0 | 6 / 26 | |
| 24.1.0 | 6 / 26 | |
| 24.0.2 | 6 / 26 | |
| 24.0.1 | 6 / 26 | |
| 24.0.0 | 6 / 26 | |
| 23.1.0 | 6 / 26 | |
| 23.0.3 | 6 / 26 |
v24.3.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.2.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.