ethers
A complete and compact Ethereum library, for dapps, wallets and any other tools.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): ethers v6 has infrequent but legitimate release cadence; same long-standing publisher. | ai | |
| source-diff | encoded-string-file:dist/ethers.umd.js | AI (source-diff): UMD dist bundle containing ENS normalization data; stable across versions. | ai | |
| source-diff | encoded-string-file:dist/ethers.umd.min.js | AI (source-diff): Minified UMD bundle containing ENS normalization data; stable across versions. | ai | |
| source-diff | encoded-string-file:dist/wordlists-extra.js | AI (source-diff): BIP-39 wordlist encoded data; core functionality of ethers. | ai | |
| source-diff | encoded-string-file:dist/wordlists-extra.min.js | AI (source-diff): Minified wordlist bundle; stable across versions. | ai | |
| source-diff | encoded-string-file:dist/ethers.js | AI (source-diff): ENS normalization compressed data blob with documented provenance; stable across versions. | ai | |
| source-diff | encoded-string-file:dist/ethers.min.js | AI (source-diff): Minified dist bundle containing ENS normalization data; stable across versions. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is a standard utility for binary data handling in Ethereum operations (e.g., encoding calldata). Not malicious; stable for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): ethers v6 is a known major version migration published under the same 'ethers' package name. Inflated semver and sparse README are artifacts of the v6 launch, not spam indicators. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is intentionally included in ethers.js runtime deps for type augmentation; known packaging quirk of this library. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() is used in ethers.js ABI coder Proxy traps — standard JS pattern for intercepting property access, not obfuscation. Stable for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 6.16.0 | 7 / 9 | |
| 6.15.0 | 7 / 9 | |
| 6.14.4 | 7 / 9 | |
| 6.14.3 | 7 / 9 | |
| 6.14.2 | 7 / 9 | |
| 6.14.1 | 7 / 9 | |
| 6.14.0 | 7 / 9 | |
| 6.13.7 | 7 / 9 |
v6.15.0
7 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.4
7 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.3
7 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.2
7 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 6 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.13.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.