@cosmjs/tendermint-rpc — Greenflagged

Tendermint RPC clients

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

webmaster128kiki-skip

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): willclarktech is listed as a named contributor in package.json and the package is part of the official cosmos/cosmjs monorepo; this is a legitimate team addition.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): Version jump from 0.23.1 to 0.25.1 in an actively developed RPC client library; growth is consistent with legitimate feature additions in the cosmos/cosmjs project.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Size increase reflects multi-version feature growth in an established CosmJS package; no obfuscation or suspicious payloads flagged.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Scoped monorepo sub-package (@cosmjs); short README and no keywords are expected for sub-packages where docs live in the main repo. Not a spam/low-value package.	ai	2026/04/22
dependencies	unvetted-dep:readonly-date	AI (dependencies): readonly-date is a long-standing, well-known dependency of @cosmjs/tendermint-rpc used for immutable Date objects; stable across many versions.	ai	2026/04/22
dependencies	unvetted-dep:@cosmjs/json-rpc	AI (dependencies): First-party sibling package from the same cosmos/cosmjs monorepo; same publisher and version series.	ai	2026/04/21
dependencies	unvetted-dep:xstream	AI (dependencies): xstream is a well-established reactive streams library used throughout the CosmJS ecosystem; not a suspicious dependency.	ai	2026/04/21
dependencies	unvetted-dep:@cosmjs/utils	AI (dependencies): First-party sibling package from the same cosmos/cosmjs monorepo; same publisher and version series.	ai	2026/04/21
provenance	no-provenance	AI (provenance): CosmJS packages historically do not publish with Sigstore provenance; absence is consistent with prior versions and not a risk indicator for this publisher.	ai	2026/04/21
dependencies	unvetted-dep:readonly-date-esm	AI (dependencies): Small utility package for immutable Date objects; no known security concerns and appropriate for this use case.	ai	2026/04/21
dependencies	unvetted-dep:@cosmjs/crypto	AI (dependencies): First-party sibling package from the same cosmos/cosmjs monorepo; same publisher and version series.	ai	2026/04/21
dependencies	unvetted-dep:@cosmjs/socket	AI (dependencies): First-party sibling package from the same cosmos/cosmjs monorepo; same publisher and version series.	ai	2026/04/21
dependencies	unvetted-dep:@cosmjs/stream	AI (dependencies): First-party sibling package from the same cosmos/cosmjs monorepo; same publisher and version series.	ai	2026/04/21
dependencies	unvetted-dep:@cosmjs/encoding	AI (dependencies): First-party sibling package from the same cosmos/cosmjs monorepo; same publisher and version series.	ai	2026/04/21

Versions (showing 7 of 7)

Hide prereleases

Version	Deps	Published
0.38.1	9 / 22	2025-12-31
0.38.0	9 / 22	2025-12-30
0.36.0	9 / 22	2025-08-14
0.25.1	9 / 1	2021-05-06
0.23.1	10 / 1	2020-10-27
0.38.0-rc.1	9 / 22	2025-12-24
0.36.2-0	9 / 22	2025-10-24