[email protected] rejected Risk: 74 No license 2026-03-16

tronweb @5.3.5

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

1465.1 KB

Package Size

2026-03-16

Published

Maintainers

troncoretronweb.dev

Keywords

TRONtronweb

Dependencies (13)

Package	Constraint	Registry Status
axios	1.13.6	auto_approved
ethers	6.16.0	auto_approved
lodash	4.17.23	auto_approved
semver	5.7.2	auto_approved
validator	13.15.26	auto_approved
bignumber.js	9.0.1	auto_approved
eventemitter3	3.1.0	auto_approved
injectpromise	1.0.0	auto_approved
@babel/runtime	7.28.6	auto_approved
querystring-es3	0.2.1	auto_approved
@ethersproject/abi	5.0.9	pending
ethereum-cryptography	2.0.0	pending
@tronweb3/google-protobuf	3.21.2	auto_approved

Dev Dependencies (32)

Package	Constraint	Registry Status
chai	4.1.2	auto_approved
chalk	2.4.1	auto_approved
husky	7.0.0	auto_approved
karma	6.3.17	auto_approved
mocha	10.8.2	auto_approved
globby	13.1.3	auto_approved
rimraf	3.0.2	auto_approved
webpack	5.105.4	auto_approved
istanbul	0.4.5	needs_review
puppeteer	24.4.0	auto_approved
@babel/core	7.21.0	auto_approved
karma-mocha	2.0.1	auto_approved
webpack-cli	5.0.1	pending
babel-loader	8.0.2	pending
jsonwebtoken	9.0.0	auto_approved
karma-webpack	5.0.0	auto_approved
karma-coverage	2.0.3	auto_approved
@babel/preset-env	7.20.2	auto_approved
source-map-support	0.5.19	auto_approved
karma-edge-launcher	0.4.2	auto_approved
karma-spec-reporter	0.0.32	Not imported
babel-plugin-istanbul	6.1.1	auto_approved
karma-chrome-launcher	2.2.0	auto_approved
karma-firefox-launcher	1.1.0	auto_approved
karma-sourcemap-loader	0.3.7	auto_approved
webpack-node-externals	3.0.0	auto_approved
@babel/plugin-transform-runtime	7.0.0	auto_approved
babel-plugin-source-map-support	2.1.3	pending
karma-coverage-istanbul-reporter	3.0.3	pending
@babel/plugin-proposal-class-properties	7.0.0	auto_approved
@babel/plugin-proposal-numeric-separator	7.0.0	pending
@babel/plugin-proposal-object-rest-spread	7.0.0	auto_approved

Transitive Dependency Tree

19 transitive deps max depth 3

├─ @babel/runtime 7.28.6 → 7.28.6

├─ @ethersproject/abi 5.0.9

├─ axios 1.13.6

├─ bignumber.js 9.0.1 → 9.0.1

├─ ethereum-cryptography 2.0.0

├─ ethers 6.16.0 → 6.16.0

├─ eventemitter3 3.1.0 → 3.1.0

├─ lodash 4.17.23

├─ querystring-es3 0.2.1 → 0.2.1

├─ semver 5.7.2 → 5.7.2

├─ validator 13.15.26 → 13.15.26

├─ @adraffy/ens-normalize 1.10.1

├─ @noble/curves 1.2.0 → 1.2.0

├─ @noble/hashes 1.3.2 → 1.3.2

├─ @types/node 22.7.5 → 22.7.5

├─ aes-js 4.0.0-beta.5

├─ tslib 2.7.0 → 2.7.0

├─ ws 8.17.1

├─ @noble/hashes 1.3.2 → 1.3.2

├─ undici-types ~6.19.2 → 6.19.8

Changes from v6.2.0

Dependency Changes

Change	Package	Version
added	lodash	4.17.23
added	injectpromise	1.0.0
added	querystring-es3	0.2.1
added	@ethersproject/abi	5.0.9
added	@tronweb3/google-protobuf	3.21.2
removed	google-protobuf	3.21.4
changed	axios	1.12.2 → 1.13.6
changed	ethers	6.13.5 → 6.16.0
changed	semver	7.7.1 → 5.7.2
changed	validator	13.15.23 → 13.15.26
changed	bignumber.js	9.1.2 → 9.0.1
changed	eventemitter3	5.0.1 → 3.1.0
changed	@babel/runtime	7.26.10 → 7.28.6
changed	ethereum-cryptography	2.2.1 → 2.0.0

Script Changes

- lint- lint:fix- test:esm- build:all- build:cjs- build:esm- clean:all- build:dist- build:test- format-all- build:types- copy-protocol:cjs- copy-protocol:esm

File Changes

4 added 330 removed 7 modified size delta: -2542.6 KB

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`dormant-publish`	publish-pattern	reject	AI	AI (publish-pattern): Package dormant for 2756 days before this version; combined with new unknown publisher, this is a strong account takeover signal that generalizes to this version.
`unvetted-dep:@tronweb3/google-protobuf`	dependencies	reject	AI	AI (dependencies): Non-standard scoped fork of google-protobuf from unvetted publisher; suspicious in context of account takeover indicators.
`unvetted-dep:injectpromise`	dependencies	reject	AI	AI (dependencies): Unvetted dependency added in suspicious version; warrants rejection in this context.

SAST Findings (2)

HIGH Long encoded string in modified file: dist/TronWeb.node.js source-diff

Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 74. Findings: 1 high (+25), 4 medium (+40), 3 low (+9).

Commit: c9338517b7de Browse source

Published to npm: 2026-03-16