@taquito/taquito
4
Versions
—
License
Yes
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
jevonearthroxaneletourneauhui-an.yanggimbrailo.ecad
Keywords
taquitotezostypescriptblockchainsdkwalletdapp
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Taquito's postinstall runs a bundled patch.js (included in package files) for compatibility patching — a stable, documented pattern for this established ecadlabs library. | ai | |
| dependencies | unvetted-dep:@taquito/signer | AI (dependencies): Sibling package from the same @taquito monorepo (ecadlabs/taquito); not an external unknown dependency. | ai | |
| dependencies | unvetted-dep:@taquito/http-utils | AI (dependencies): Sibling package from the same @taquito monorepo (ecadlabs/taquito); not an external unknown dependency. | ai | |
| dependencies | unvetted-dep:@taquito/michel-codec | AI (dependencies): Sibling package from the same @taquito monorepo (ecadlabs/taquito); not an external unknown dependency. | ai | |
| dependencies | unvetted-dep:@taquito/core | AI (dependencies): Sibling package from the same @taquito monorepo (ecadlabs/taquito); not an external unknown dependency. | ai | |
| dependencies | unvetted-dep:@taquito/michelson-encoder | AI (dependencies): Sibling package from the same @taquito monorepo (ecadlabs/taquito); not an external unknown dependency. | ai | |
| dependencies | unvetted-dep:@taquito/local-forging | AI (dependencies): Sibling package from the same @taquito monorepo (ecadlabs/taquito); not an external unknown dependency. | ai | |
| provenance | slsa-provenance | AI (provenance): Package is consistently published via CI/CD with SLSA provenance attestation from the ecadlabs/taquito monorepo; this is a stable, positive signal for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 24.3.0 | 10 / 33 | |
| 24.2.0 | 10 / 37 | |
| 24.0.0 | 10 / 37 | |
| 23.0.3 | 9 / 36 |
v24.3.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.0.0
2 findings
HIGH
Package has 'postinstall' script
install-scripts
Script: node patch.js
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v23.0.3
2 findings
HIGH
Package has 'postinstall' script
install-scripts
Script: node patch.js
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.