← Home

@taquito/utils

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

jevonearthroxaneletourneauhui-an.yanggimbrailo.ecad

Keywords

taquitotezostypescriptblockchainencodingcryptoutilities

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:elliptic AI (dependencies): elliptic is a standard crypto library appropriate for a Tezos blockchain utility package; stable false positive here. ai
source-diff encoded-string-file:dist/taquito-utils.es6.js AI (source-diff): Long strings are hex-encoded JSDoc example values for blockchain hashing functions, not obfuscated payloads. ai
source-diff encoded-string-file:dist/taquito-utils.umd.js AI (source-diff): Same JSDoc hex example strings in UMD build; stable false positive for this package. ai
dependencies unvetted-dep:@stablelib/ed25519 AI (dependencies): @stablelib/ed25519 is a well-known cryptographic library; its use in a Tezos utility package for Ed25519 operations is expected and legitimate across all versions. ai
dependencies unvetted-dep:@taquito/core AI (dependencies): Sibling package in the Taquito monorepo from the same publisher (ECAD Labs); not an independent risk. ai
phantom-deps phantom-dep:typedarray-to-buffer AI (phantom-deps): Bundled into dist output; direct import not visible in source scan. Stable pattern for this package. ai
dependencies unvetted-dep:@types/bs58check AI (dependencies): TypeScript type definitions package; no runtime code, negligible security risk. ai
phantom-deps phantom-dep:blakejs AI (phantom-deps): Bundled package; dist-only shipping means direct imports may not appear in source scan. Stable pattern for this package. ai
phantom-deps phantom-dep:@types/bs58check AI (phantom-deps): Type-only package loaded by convention; no runtime import expected. Stable false positive for this package. ai

Versions (showing 8 of 8)

Version Deps Published
24.3.0 9 / 23
24.2.0 10 / 27
24.1.0 10 / 27
24.0.2 10 / 27
24.0.1 10 / 27
24.0.0 10 / 27
23.1.0 10 / 27
23.0.3 11 / 26

v24.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v24.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v24.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v24.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v23.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v23.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.