← Home

@taquito/signer

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

jevonearthroxaneletourneauhui-an.yanggimbrailo.ecad

Keywords

taquitotezostypescriptblockchainsignercrypto

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): bn.js is a well-known, widely-used big-number library; appropriate for a cryptographic signer package. ai
dependencies unvetted-dep:elliptic AI (dependencies): elliptic is a standard EC cryptography library appropriate for a blockchain signer; its use here is expected and legitimate. ai
dependencies unvetted-dep:@stablelib/hmac AI (dependencies): @stablelib/hmac is a reputable cryptographic primitive library; expected dependency for a cryptographic signer package. ai
dependencies unvetted-dep:@stablelib/pbkdf2 AI (dependencies): @stablelib/pbkdf2 is a reputable cryptographic primitive library; expected dependency for a cryptographic signer package. ai
dependencies unvetted-dep:@stablelib/ed25519 AI (dependencies): @stablelib/ed25519 is a reputable Ed25519 implementation; expected dependency for a Tezos signer package. ai
phantom-deps phantom-dep:@stablelib/pbkdf2 AI (phantom-deps): Declared but not directly imported; likely used transitively or in config. Not a security concern for this package. ai
dependencies unvetted-dep:@stablelib/sha512 AI (dependencies): @stablelib/sha512 is a reputable cryptographic primitive library; expected dependency for a cryptographic signer package. ai
dependencies unvetted-dep:@stablelib/nacl AI (dependencies): @stablelib/nacl is a well-known audited NaCl crypto library; its use in a cryptographic signer package is expected and appropriate across all versions. ai
phantom-deps phantom-dep:@types/bn.js AI (phantom-deps): @types/bn.js is a TypeScript type declaration package with no runtime security implications; stable false positive for this package. ai

Versions (showing 8 of 8)

Version Deps Published
24.3.0 9 / 23
24.2.0 14 / 28
24.1.0 14 / 28
24.0.2 14 / 28
24.0.1 14 / 28
24.0.0 13 / 28
23.1.0 13 / 28
23.0.3 15 / 28

v24.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v24.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v24.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v23.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.