@chain-registry/workflows

Chain Registry Workflows

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pyramationluca608zetazz

Keywords

chain-registryweb3cosmosinterchain

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:schema-typescript	AI (dependencies): schema-typescript is a companion tooling package in the same ecosystem; consistent with the package's TypeScript code generation workflow.	ai	2026/04/27
dependencies	unvetted-dep:json-schema-patch	AI (dependencies): json-schema-patch is a pinned utility dependency used in chain-registry workflows; no security concerns identified.	ai	2026/04/27
dependencies	unvetted-dep:file-ts	AI (dependencies): file-ts appears to be a companion package in the same ecosystem by the same publisher (pyramation); stable tooling dependency for chain-registry workflows.	ai	2026/04/27
dependencies	unvetted-dep:strfy-js	AI (dependencies): strfy-js is a utility package consistent with the chain-registry build toolchain by the same publisher; no malicious signals.	ai	2026/04/27
phantom-deps	phantom-dep:bignumber.js	AI (phantom-deps): bignumber.js is declared in package.json dependencies; phantom flag reflects config-driven usage pattern typical of this package.	ai	2026/04/26
phantom-deps	phantom-dep:sha.js	AI (phantom-deps): sha.js is declared in package.json dependencies; phantom flag is a static analysis artifact for this workflow/build-tooling package.	ai	2026/04/26
phantom-deps	phantom-dep:file-ts	AI (phantom-deps): file-ts is declared in package.json dependencies; phantom flag reflects config-driven usage pattern typical of this package.	ai	2026/04/26
phantom-deps	phantom-dep:minimatch	AI (phantom-deps): minimatch is declared in package.json dependencies; phantom flag is a static analysis artifact for this workflow/build-tooling package.	ai	2026/04/26
dependencies	unvetted-dep:@chain-registry/interfaces	AI (dependencies): First-party dependency from the same chain-registry monorepo; not a third-party risk.	ai	2026/04/25
provenance	no-provenance	AI (provenance): Established publisher with 4093 approved versions; lack of provenance is consistent across the entire chain-registry ecosystem and is not a meaningful risk signal here.	ai	2026/04/25

Versions (showing 37 of 240)

Version	Deps	Published
1.53.161	13 / 2	2025-07-02
1.53.160	13 / 2	2025-07-01
1.53.159	13 / 2	2025-06-27
1.53.158	13 / 2	2025-06-26
1.53.157	13 / 2	2025-06-25
1.53.156	13 / 2	2025-06-24
1.53.155	13 / 2	2025-06-21
1.53.154	13 / 2	2025-06-20
1.53.153	13 / 2	2025-06-19
1.53.152	13 / 2	2025-06-18
1.53.151	13 / 2	2025-06-17
1.53.150	13 / 2	2025-06-14
1.53.149	13 / 2	2025-06-12
1.53.148	13 / 2	2025-06-11
1.53.147	13 / 2	2025-06-10
1.53.146	13 / 2	2025-06-10
1.53.145	13 / 2	2025-06-07
1.53.144	13 / 2	2025-06-06
1.53.143	13 / 2	2025-06-05
1.53.142	13 / 2	2025-06-04
1.53.141	13 / 2	2025-06-01
1.53.140	13 / 2	2025-05-31
1.53.139	13 / 2	2025-05-30
1.53.138	13 / 2	2025-05-29
1.53.137	13 / 2	2025-05-28
1.53.136	13 / 2	2025-05-27
1.53.135	13 / 2	2025-05-24
1.53.134	13 / 2	2025-05-23
1.53.133	13 / 2	2025-05-22
1.53.132	13 / 2	2025-05-21
1.53.131	13 / 2	2025-05-20
1.53.130	13 / 2	2025-05-13
1.53.129	13 / 2	2025-05-09
1.53.128	13 / 2	2025-05-08
1.53.127	13 / 2	2025-05-06
1.53.126	13 / 2	2025-05-05
1.53.125	13 / 2	2025-05-03