@polkadot/util — Greenflagged

A collection of useful utilities for @polkadot

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jacogrpolkadotjsparitytech-ci

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@types/camelcase	AI (dependencies): @types/camelcase is the TypeScript type definitions for the well-known camelcase package; it is benign and consistent with this package's pattern of listing @types/* as runtime deps.	ai	2026/04/24
phantom-deps	phantom-dep:@types/camelcase	AI (phantom-deps): Listing @types/* packages as runtime deps without direct imports is a known pattern in this Polkadot TypeScript package; other @types/* phantom deps are already accepted.	ai	2026/04/24
phantom-deps	phantom-dep:@types/ip-regex	AI (phantom-deps): @types packages are TypeScript type declarations consumed by tooling, not direct imports; phantom-dep firing on them is a stable false positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/xxhashjs	AI (phantom-deps): @types packages are TypeScript type declarations consumed by tooling, not direct imports; phantom-dep firing on them is a stable false positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/deasync	AI (phantom-deps): @types packages are TypeScript type declarations consumed by tooling, not direct imports; phantom-dep firing on them is a stable false positive for this package.	ai	2026/04/24
dependencies	unvetted-dep:@types/ip-regex	AI (dependencies): @types/ip-regex is a DefinitelyTyped TypeScript type definition package — benign by nature, no runtime code execution risk.	ai	2026/04/24
dependencies	unvetted-dep:@types/xxhashjs	AI (dependencies): @types/xxhashjs is a DefinitelyTyped TypeScript type definition package — benign by nature, no runtime code execution risk.	ai	2026/04/24
provenance	missing-githead	AI (provenance): Package is from a highly trusted publisher (jacogr, 8095 approved/0 rejected) with a 3000+ day history. Missing gitHead reflects a publish environment change, not a security concern for this package.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): @polkadot/util is an actively developed utility library; adding new source files across minor versions is expected organic growth, not injected code.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): bn.js and keccak are well-established cryptographic libraries appropriate for a blockchain utility package; their addition is expected and legitimate.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Size increase reflects legitimate addition of crypto utilities (bn.js, keccak wrappers) in a growing blockchain utility library from a trusted publisher.	ai	2026/04/24
dependencies	unvetted-dep:keccak	AI (dependencies): keccak is a well-known cryptographic hash library standard in the blockchain/Ethereum ecosystem; legitimate dependency for @polkadot/util.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance adoption; publisher has 8083 approved packages and strong trust history. Not a meaningful risk signal here.	ai	2026/04/24
phantom-deps	phantom-dep:babel-runtime	AI (phantom-deps): babel-runtime is a legitimate runtime dependency used via babel-plugin-transform-runtime (Babel 6 pattern); not a phantom dep for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): paritytech-ci is Parity Technologies' CI publishing account with 111 approved packages; the polkadotjs→paritytech-ci transition is a known organizational consolidation, not a compromise.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): paritytech-ci is a verified Parity Technologies CI account with strong track record; addition is a legitimate organizational change.	ai	2026/04/23
phantom-deps	phantom-dep:@types/bn.js	AI (phantom-deps): @types/bn.js is a TypeScript type definition used by convention in the polkadot-js ecosystem; phantom dep finding is a stable false positive here.	ai	2026/04/23
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding is core functionality of @polkadot/util; Buffer.from(value, 'hex') is a standard, non-obfuscated utility operation.	ai	2026/04/21
typosquat	typosquat.levenshtein:uuid	AI (typosquat): @polkadot/util is a well-known Polkadot ecosystem utility library, not a typosquat of uuid. The name similarity is purely coincidental.	ai	2026/04/21

Versions (showing 100 of 551)

Version	Deps	Published
14.0.3	7 / 0	2026-03-23
14.0.2	7 / 0	2026-03-16
14.0.1	7 / 0	2025-12-09
13.5.9	7 / 0	2025-11-25
13.5.8	7 / 0	2025-11-11
13.5.7	7 / 0	2025-10-13
13.5.6	7 / 0	2025-08-26
13.5.5	7 / 0	2025-08-11
13.5.4	7 / 0	2025-07-28
13.5.3	7 / 0	2025-07-01
13.5.2	7 / 0	2025-06-17
13.5.1	7 / 0	2025-05-19
13.4.4	7 / 0	2025-04-14
13.4.3	7 / 0	2025-02-17
13.4.2	7 / 0	2025-02-17
13.4.1	7 / 0	2025-02-17
13.3.1	7 / 0	2025-01-06
13.2.3	7 / 0	2024-11-11
13.2.2	7 / 0	2024-10-28
13.2.1	7 / 0	2024-10-21
13.1.1	7 / 0	2024-09-16
13.0.2	7 / 0	2024-07-13
13.0.1	7 / 0	2024-07-12
12.6.2	7 / 0	2023-12-18
12.6.1	7 / 0	2023-11-18
12.5.1	7 / 0	2023-09-15
12.4.2	7 / 0	2023-08-23
12.4.1	7 / 0	2023-08-17
12.3.2	7 / 0	2023-06-12
12.3.1	7 / 0	2023-06-11
12.2.2	7 / 0	2023-06-04
12.2.1	7 / 0	2023-05-13
12.1.2	7 / 0	2023-05-01
12.1.1	7 / 0	2023-04-29
12.0.1	7 / 0	2023-04-22
11.1.3	7 / 0	2023-04-01
11.1.2	7 / 0	2023-03-25
11.1.1	7 / 0	2023-03-18
11.0.2	7 / 0	2023-03-11
11.0.1	7 / 0	2023-03-04
10.4.2	7 / 0	2023-02-19
10.4.1	7 / 0	2023-02-12
10.3.1	7 / 0	2023-01-28
10.2.6	7 / 0	2023-01-13
10.2.5	7 / 0	2023-01-13
10.2.4	7 / 0	2023-01-13
10.2.3	7 / 0	2023-01-07
10.2.2	7 / 0	2023-01-06
10.2.1	7 / 0	2022-12-04
10.1.14	7 / 0	2022-11-27
10.1.13	7 / 0	2022-11-20
10.1.12	7 / 0	2022-11-13
10.1.11	7 / 0	2022-10-15
10.1.10	7 / 0	2022-10-07
10.1.9	7 / 0	2022-09-24
10.1.8	7 / 0	2022-09-17
10.1.7	7 / 0	2022-09-02
10.1.6	7 / 0	2022-08-23
10.1.5	7 / 0	2022-08-21
10.1.4	7 / 0	2022-08-12
10.1.3	7 / 0	2022-08-05
10.1.2	7 / 0	2022-07-29
10.1.1	7 / 0	2022-07-21
10.0.2	7 / 0	2022-07-10
10.0.1	7 / 0	2022-07-08
9.7.2	8 / 0	2022-07-04
9.7.1	8 / 0	2022-07-01
9.6.2	8 / 0	2022-06-25
9.6.1	8 / 0	2022-06-23
9.5.1	8 / 0	2022-06-18
9.4.1	8 / 0	2022-06-04
9.3.1	8 / 0	2022-05-29
9.2.1	8 / 0	2022-05-13
9.1.1	8 / 0	2022-04-30
9.0.1	8 / 0	2022-04-09
8.7.1	8 / 0	2022-03-27
8.6.1	8 / 0	2022-03-19
8.5.1	8 / 0	2022-03-12
8.4.1	8 / 0	2022-02-14
8.3.3	8 / 0	2022-01-23
8.3.2	8 / 0	2022-01-15
8.3.1	8 / 0	2022-01-09
8.2.2	8 / 1	2021-12-19
8.1.2	8 / 0	2021-12-05
8.1.1	8 / 0	2021-12-05
8.0.5	6 / 0	2021-12-01
8.0.4	6 / 0	2021-11-30
8.0.3	6 / 0	2021-11-30
8.0.2	6 / 0	2021-11-26
8.0.1	6 / 0	2021-11-26
8.0.0	6 / 0	2021-11-26
7.9.2	7 / 0	2021-11-22
7.9.1	7 / 0	2021-11-21
7.8.2	7 / 0	2021-11-07
7.8.1	7 / 0	2021-11-06
7.7.1	7 / 0	2021-10-31
7.6.1	7 / 0	2021-10-23
7.5.1	7 / 0	2021-10-16
7.4.1	7 / 0	2021-09-17
7.3.1	7 / 0	2021-08-28

Showing 100 of 551 Next page →

v14.0.2

2 findings

HIGH Publisher changed: polkadotjs → paritytech-ci (on 2026-03-16) provenance

This version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v14.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.5.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.5.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.5.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.5.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.5.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.5.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.5.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.4.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.