← Home

@ledgerhq/device-signer-kit-hyperliquid

npm Repository

This package provides a signer implementation for hyperliquid.

4
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

phenry-ledgersergii-shkolingbrahm-ledgerthomas.coudrayldg-github-civbouzonledger-releaser

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff encoded-string-file:lib/cjs/internal/app-binder/utils/actionTlvSerializer.test.js AI (source-diff): Hex strings are TLV serializer test vectors (expectedHex fields); stable false positive for this package. ai
source-diff encoded-string-file:lib/esm/internal/app-binder/utils/actionTlvSerializer.test.js AI (source-diff): ESM build of same test file; same TLV test vector pattern, stable false positive. ai
dependencies unvetted-dep:purify-ts AI (dependencies): purify-ts is a well-known functional programming library for TypeScript; its use here is legitimate and expected in a Ledger SDK package. ai
dependencies unvetted-dep:@ledgerhq/signer-utils AI (dependencies): First-party Ledger SDK package from the same LedgerHQ organization; legitimate dependency for this signer kit. ai
dependencies unvetted-dep:@ledgerhq/context-module AI (dependencies): First-party Ledger SDK package from the same LedgerHQ organization; legitimate dependency for this signer kit. ai

Versions (showing 4 of 4)

Version Deps Published
1.1.0 6 / 8
1.0.2 6 / 8
1.0.1 6 / 8
1.0.0 6 / 8

v1.1.0

3 findings
HIGH Long encoded string in modified file: lib/cjs/internal/app-binder/utils/actionTlvSerializer.test.js source-diff

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: lib/esm/internal/app-binder/utils/actionTlvSerializer.test.js source-diff

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.