secretjs — Greenflagged

The JavaScript SDK for Secret Network

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

enigma-dev

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase is from bundled ProtoDefs.js protobuf definitions, explicitly added in build script; expected for this SDK.	ai	2026/04/27
source-diff	source-size-dropped	AI (source-diff): Size drop reflects refactoring of generated protobuf code; consistent with the 133 new TS source files added.	ai	2026/04/27
source-diff	obfuscated-file:build/ProtoEncoding.js	AI (source-diff): The long line is a serialized protobuf JSON descriptor string, not obfuscation. This pattern is expected when bundling protobuf schemas with protobufjs and is benign for this package.	ai	2026/04/24
phantom-deps	phantom-dep:js-crypto-hkdf	AI (phantom-deps): Declared crypto dependency used indirectly; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:fast-deep-equal	AI (phantom-deps): Declared utility dependency used indirectly; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:node-localstorage	AI (phantom-deps): Declared dependency used indirectly; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:@types/node-localstorage	AI (phantom-deps): Framework-scoped types package loaded by convention; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:pako	AI (phantom-deps): pako is a declared dependency used indirectly in crypto operations; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:axios	AI (phantom-deps): axios is a declared dependency used indirectly for HTTP operations; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:miscreant	AI (phantom-deps): miscreant is a declared crypto dependency used indirectly; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:@iov/utils	AI (phantom-deps): Declared @iov dependency used indirectly in SDK; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:@iov/encoding	AI (phantom-deps): Declared @iov dependency used indirectly in SDK; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:curve25519-js	AI (phantom-deps): Declared crypto dependency used indirectly; phantom-dep is a false positive for this library.	ai	2026/04/24
phantom-deps	phantom-dep:secure-random	AI (phantom-deps): Declared crypto dependency used indirectly; phantom-dep is a false positive for this library.	ai	2026/04/24
dependencies	unvetted-dep:protobufjs	AI (dependencies): protobufjs is a well-known, widely-used protobuf library; expected dependency for a blockchain SDK communicating via protobuf. Stable for this package.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): cross-fetch and google-protobuf are well-known legitimate packages; their addition reflects a documented transport layer refactor in this Cosmos SDK client.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): secretjs ships generated protobuf stubs as part of its SDK; large file additions are expected when protobuf definitions are updated. Not indicative of injected malicious code.	ai	2026/04/24
source-diff	obfuscated-file:dist/browser.js	AI (source-diff): dist/browser.js is a standard webpack-minified browser bundle for the secretjs SDK. The license header and module pattern confirm legitimate webpack output, not malicious obfuscation.	ai	2026/04/24
source-diff	net-exec-file:dist/browser.js	AI (source-diff): Network calls and dynamic module loading in dist/browser.js are expected for a blockchain client SDK (RPC calls + webpack module system). Not a dropper/loader pattern.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Lack of Sigstore provenance is a governance concern but not a code-level security risk for this mature package.	ai	2026/04/24
phantom-deps	phantom-dep:@osmonauts/helpers	AI (phantom-deps): Referenced in build config; phantom-dep pattern is stable for this package across versions.	ai	2026/04/24
phantom-deps	phantom-dep:sinon	AI (phantom-deps): Sinon is a test/build dependency referenced in config; phantom-dep pattern is stable for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@cosmjs/math	AI (phantom-deps): Legitimate declared dependency for a crypto SDK; used in build/config context. Not a security concern for this package.	ai	2026/04/24
phantom-deps	phantom-dep:patch-package	AI (phantom-deps): patch-package is intentionally declared as a runtime dep to support the postinstall script; stable pattern for this package.	ai	2026/04/24
phantom-deps	phantom-dep:google-protobuf	AI (phantom-deps): google-protobuf is a legitimate protobuf runtime dependency for this Secret Network SDK; referenced in build config.	ai	2026/04/24
install-scripts	install-script:postinstall	AI (install-scripts): postinstall runs `patch-package`, a standard tool for patching node_modules. This is a documented, legitimate pattern for this SDK and stable across versions.	ai	2026/04/23
dependencies	unvetted-dep:google-protobuf	AI (dependencies): google-protobuf is a Google-published, widely-used protobuf library. Stable false positive for this package.	ai	2026/04/23
source-diff	encoded-string-file:dist/browser.js	AI (source-diff): Long encoded strings in dist/browser.js are standard webpack UMD bundle output, not obfuscated malicious payloads. The license header and bundle structure confirm legitimate build output.	ai	2026/04/23

Versions (showing 51 of 96)

View all versions

Version	Deps	Published
1.21.2	18 / 22	2025-09-15
1.21.1	18 / 22	2025-09-15
1.15.0	18 / 22	2024-12-30
1.12.5	16 / 21	2024-03-18
1.12.4	16 / 21	2023-12-22
1.12.3	16 / 21	2023-11-20
1.12.2	16 / 21	2023-11-20
1.12.1	16 / 21	2023-11-09
1.12.0	16 / 21	2023-10-18
1.11.1	17 / 21	2023-09-26
1.11.0	17 / 21	2023-09-26
1.9.3	18 / 20	2023-06-09
1.9.2	18 / 20	2023-06-09
1.9.1	18 / 20	2023-06-05
1.9.0	18 / 20	2023-05-08
1.8.1	18 / 20	2023-03-08
1.8.0	18 / 20	2023-03-06
1.7.2	18 / 20	2023-03-02
1.7.1	18 / 20	2023-03-01
1.6.14	18 / 20	2023-02-23
1.6.13	18 / 20	2023-01-30
1.6.12	18 / 20	2023-01-29
1.6.11	18 / 20	2023-01-25
1.6.10	18 / 20	2023-01-25
1.6.9	18 / 20	2023-01-17
1.6.8	18 / 20	2023-01-11
1.6.7	18 / 20	2023-01-11
1.6.6	18 / 20	2022-12-29
1.6.5	18 / 20	2022-12-29
1.6.4	18 / 20	2022-12-28
1.6.3	18 / 20	2022-12-28
1.6.2	18 / 20	2022-12-28
1.6.1	18 / 20	2022-12-27
1.6.0	18 / 20	2022-12-22
1.5.3	17 / 18	2022-12-19
1.5.1	17 / 18	2022-12-04
1.5.0	17 / 18	2022-12-04
1.4.7	19 / 20	2023-03-02
1.4.6	19 / 20	2023-01-24
1.4.5	19 / 20	2022-10-19
1.4.4	18 / 19	2022-10-11
1.4.3	18 / 19	2022-10-02
1.4.2	18 / 19	2022-10-02
1.4.1	18 / 19	2022-09-28
1.4.0	18 / 19	2022-09-21
0.17.8	11 / 4	2022-09-18
0.17.7	11 / 4	2022-09-11
0.17.6	11 / 4	2022-09-08
0.17.5	11 / 4	2021-11-29
0.17.4	11 / 4	2021-11-25
0.17.3	11 / 4	2021-11-15