cosmjs-types — Greenflagged

JS and TS types relating to Protocol Buffers used by Cosmos SDK and other related projects

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

webmaster128kiki-skip

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): cosmjs-types grows with each release as more protobuf definitions are codegen'd into JS/TS. Size increases are expected and benign for this package.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): webmaster128 is the legitimate publisher with 1035 approved packages and 2813 days of history; this maintainer addition is a legitimate transfer, not a takeover.	ai	2026/04/24
dependencies	unvetted-dep:protobufjs	AI (dependencies): protobufjs is a core, well-known dependency expected for a Protobuf types package; its use here is entirely legitimate and stable across versions.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): cosmjs-types is a codegen package; new source files are protobuf-generated types matching the package's documented purpose. Large file additions are expected with each Cosmos SDK update.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Established package with strong publisher track record; lack of Sigstore provenance is not a material risk signal here.	ai	2026/04/23

Versions (showing 19 of 19)

Show 1 prerelease

Version	Deps	Published
0.11.0	0 / 4	2025-11-22
0.10.1	0 / 4	2025-07-29
0.10.0	0 / 4	2025-07-29
0.9.0	0 / 4	2023-10-25
0.8.0	2 / 5	2023-05-23
0.7.2	2 / 5	2023-04-03
0.7.1	2 / 5	2023-03-07
0.7.0	2 / 5	2023-03-07
0.6.1	2 / 5	2022-12-22
0.6.0	2 / 5	2022-12-08
0.5.2	2 / 5	2022-10-11
0.5.1	2 / 5	2022-08-23
0.5.0	2 / 5	2022-04-20
0.4.1	2 / 5	2022-01-04
0.4.0	2 / 5	2021-12-06
0.3.0	2 / 5	2021-11-16
0.2.1	2 / 5	2021-11-02
0.2.0	2 / 5	2021-07-29
0.1.0	2 / 5	2021-06-03

v0.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.