@polkadot/extrinsics-codec

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jacogr

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps are same-org @polkadot scoped packages, consistent with intra-ecosystem dependency management by the established Polkadot.js maintainer.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance availability; no provenance is expected for packages of this age from this publisher.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/params	AI (phantom-deps): Same-org scoped package; phantom dep finding is a false positive for intra-org dependency declarations in the Polkadot.js ecosystem.	ai	2026/04/24
npm-metadata	no-description	AI (npm-metadata): Cosmetic issue in a well-established ecosystem package from a trusted publisher; not indicative of malice.	ai	2026/04/24
source-diff	encoded-string-file:encode/unchecked.spec.js	AI (source-diff): Long hex strings in spec files are expected test vectors for a codec library, not obfuscated payloads. This pattern is stable across all versions of this package.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Minimal documentation is typical for internal codec utility in established monorepo; not a spam indicator given publisher reputation.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/util-keyring	AI (phantom-deps): Same-org monorepo dependency; phantom classification is expected in polkadot-js workspace structure.	ai	2026/04/24
phantom-deps	phantom-dep:@polkadot/extrinsics	AI (phantom-deps): Same-org monorepo dependency; phantom classification is expected in polkadot-js workspace structure.	ai	2026/04/24
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): @babel/runtime is framework-scoped and loaded by convention; stable pattern in @polkadot packages.	ai	2026/04/24
phantom-deps	phantom-dep:bn.js	AI (phantom-deps): bn.js is a direct dependency used in crypto/codec contexts; phantom classification is a false positive for this package.	ai	2026/04/24

Versions (showing 51 of 89)

View all versions

Version	Deps	Published
0.25.3	6 / 0	2018-06-27
0.25.2	6 / 0	2018-06-27
0.25.1	6 / 0	2018-06-26
0.20.3	6 / 0	2018-06-26
0.20.2	6 / 0	2018-06-26
0.20.1	6 / 0	2018-06-26
0.19.5	6 / 0	2018-06-25
0.19.4	6 / 0	2018-06-24
0.19.3	6 / 0	2018-06-24
0.19.2	6 / 0	2018-06-24
0.19.1	6 / 0	2018-06-23
0.18.2	6 / 0	2018-06-20
0.17.28	6 / 0	2018-06-20
0.17.27	6 / 0	2018-06-20
0.17.26	6 / 0	2018-06-20
0.17.25	6 / 0	2018-06-13
0.17.24	6 / 0	2018-06-12
0.17.23	6 / 0	2018-06-12
0.17.22	6 / 0	2018-06-12
0.17.21	6 / 0	2018-06-11
0.17.20	6 / 0	2018-06-11
0.17.19	6 / 0	2018-06-08
0.17.18	6 / 0	2018-06-07
0.17.17	6 / 0	2018-06-04
0.17.16	6 / 0	2018-06-04
0.17.15	6 / 0	2018-06-04
0.17.14	6 / 0	2018-06-03
0.17.13	6 / 0	2018-06-03
0.17.12	6 / 0	2018-06-03
0.17.11	6 / 0	2018-06-02
0.17.10	6 / 0	2018-06-02
0.17.9	5 / 0	2018-06-01
0.17.8	5 / 0	2018-06-01
0.17.7	5 / 0	2018-05-31
0.17.6	5 / 0	2018-05-31
0.17.5	5 / 0	2018-05-30
0.17.4	5 / 0	2018-05-29
0.17.3	5 / 0	2018-05-29
0.17.2	5 / 0	2018-05-29
0.17.1	5 / 0	2018-05-29
0.16.15	5 / 0	2018-05-28
0.16.14	5 / 0	2018-05-28
0.16.13	5 / 0	2018-05-28
0.16.12	5 / 0	2018-05-27
0.16.11	5 / 0	2018-05-27
0.16.10	5 / 0	2018-05-27
0.16.9	5 / 0	2018-05-25
0.16.8	5 / 0	2018-05-25
0.16.7	5 / 0	2018-05-25
0.16.6	5 / 0	2018-05-25
0.16.5	5 / 0	2018-05-24