@polkadot/keyring
Keyring management
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:pair/toJson.spec.js | AI (source-diff): Test fixture containing hex-encoded ed25519 keypair data for keyring unit tests; expected for a crypto key management library. | ai | |
| phantom-deps | phantom-dep:@types/bs58 | AI (phantom-deps): TypeScript type declarations for the bs58 runtime dependency; loaded by the TS compiler, not directly imported at runtime. | ai | |
| source-diff | encoded-string-file:index.spec.js | AI (source-diff): Long string is a hex-encoded PKCS8 test fixture in a keyring test file — expected for this package's domain. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate transition from polkadotjs to paritytech-ci (Parity Technologies CI account). paritytech-ci has strong track record: 605 approved, 0 rejected. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): paritytech-ci is Parity Technologies' CI account, the organization behind Polkadot. Expected maintainer for this ecosystem. | ai |
Versions (showing 12 of 312)
| Version | Deps | Published |
|---|---|---|
| 0.32.6 | 5 / 0 | |
| 0.32.5 | 5 / 0 | |
| 0.32.4 | 5 / 0 | |
| 0.32.3 | 5 / 0 | |
| 0.32.1 | 5 / 0 | |
| 0.31.7 | 5 / 0 | |
| 0.31.6 | 5 / 0 | |
| 0.31.5 | 5 / 0 | |
| 0.31.4 | 5 / 0 | |
| 0.31.3 | 5 / 0 | |
| 0.31.2 | 5 / 0 | |
| 0.31.1 | 5 / 0 |
v0.32.6
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.5
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.4
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.3
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.