@cosmjs/encoding
Encoding helpers for blockchain projects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer changes in established cosmjs monorepo are expected; transparent governance and stable repo URL mitigate takeover risk. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of prior maintainers paired with additions is normal team evolution in active projects; no compromise indicators present. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @scure/base is a legitimate, established cryptographic library appropriate for an encoding package; dependency swap (bech32→@scure/base) reflects intentional refactoring. | ai | |
| source-diff | source-size-dropped | AI (source-diff): 70% source reduction consistent with legitimate refactoring and dependency consolidation; no stub/redirect indicators present. | ai | |
| dependencies | unvetted-dep:readonly-date | AI (dependencies): readonly-date is a stable utility with fixed version constraint; minor unvetted dependency in established package context. | ai | |
| provenance | no-provenance | AI (provenance): Established CosmJS package from trusted publisher; lack of provenance is common and not a risk signal here. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 0.38.1 | 3 / 23 | |
| 0.38.0 | 3 / 23 | |
| 0.37.1 | 3 / 23 | |
| 0.36.2 | 3 / 23 | |
| 0.36.0 | 3 / 23 | |
| 0.35.1 | 3 / 23 | |
| 0.34.1 | 3 / 25 | |
| 0.33.1 | 3 / 34 | |
| 0.32.3 | 3 / 34 | |
| 0.31.1 | 3 / 34 | |
| 0.30.1 | 3 / 34 | |
| 0.30.0 | 3 / 34 | |
| 0.29.5 | 3 / 34 | |
| 0.29.3 | 3 / 34 | |
| 0.29.2 | 3 / 34 | |
| 0.28.11 | 3 / 34 | |
| 0.28.9 | 3 / 34 | |
| 0.28.0 | 3 / 35 | |
| 0.27.1 | 3 / 35 | |
| 0.26.5 | 3 / 35 | |
| 0.26.3 | 3 / 35 | |
| 0.25.6 | 3 / 1 | |
| 0.25.5 | 3 / 1 | |
| 0.25.4 | 3 / 1 | |
| 0.25.3 | 3 / 1 | |
| 0.25.2 | 3 / 1 | |
| 0.25.1 | 3 / 1 | |
| 0.25.0 | 3 / 1 | |
| 0.24.1 | 3 / 1 | |
| 0.23.1 | 3 / 1 | |
| 0.22.3 | 3 / 1 | |
| 0.22.1 | 3 / 1 | |
| 0.22.0 | 3 / 1 | |
| 0.21.1 | 3 / 1 | |
| 0.21.0 | 3 / 1 | |
| 0.20.0 | 3 / 1 | |
| 0.38.0-rc.1 | 3 / 23 | |
| 0.38.0-rc.0 | 3 / 23 | |
| 0.37.0-rc.1 | 3 / 23 | |
| 0.36.2-0 | 3 / 23 |
v0.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.37.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.35.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.32.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.27.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.38.0-rc.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.0-rc.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.0-rc.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.2-0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.