secretjs
The JavaScript SDK for Secret Network
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is from bundled ProtoDefs.js protobuf definitions, explicitly added in build script; expected for this SDK. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects refactoring of generated protobuf code; consistent with the 133 new TS source files added. | ai | |
| source-diff | obfuscated-file:build/ProtoEncoding.js | AI (source-diff): The long line is a serialized protobuf JSON descriptor string, not obfuscation. This pattern is expected when bundling protobuf schemas with protobufjs and is benign for this package. | ai | |
| phantom-deps | phantom-dep:js-crypto-hkdf | AI (phantom-deps): Declared crypto dependency used indirectly; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:fast-deep-equal | AI (phantom-deps): Declared utility dependency used indirectly; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:node-localstorage | AI (phantom-deps): Declared dependency used indirectly; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:@types/node-localstorage | AI (phantom-deps): Framework-scoped types package loaded by convention; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): pako is a declared dependency used indirectly in crypto operations; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): axios is a declared dependency used indirectly for HTTP operations; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:miscreant | AI (phantom-deps): miscreant is a declared crypto dependency used indirectly; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:@iov/utils | AI (phantom-deps): Declared @iov dependency used indirectly in SDK; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:@iov/encoding | AI (phantom-deps): Declared @iov dependency used indirectly in SDK; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:curve25519-js | AI (phantom-deps): Declared crypto dependency used indirectly; phantom-dep is a false positive for this library. | ai | |
| phantom-deps | phantom-dep:secure-random | AI (phantom-deps): Declared crypto dependency used indirectly; phantom-dep is a false positive for this library. | ai | |
| dependencies | unvetted-dep:protobufjs | AI (dependencies): protobufjs is a well-known, widely-used protobuf library; expected dependency for a blockchain SDK communicating via protobuf. Stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): cross-fetch and google-protobuf are well-known legitimate packages; their addition reflects a documented transport layer refactor in this Cosmos SDK client. | ai | |
| source-diff | large-new-source-files | AI (source-diff): secretjs ships generated protobuf stubs as part of its SDK; large file additions are expected when protobuf definitions are updated. Not indicative of injected malicious code. | ai | |
| source-diff | obfuscated-file:dist/browser.js | AI (source-diff): dist/browser.js is a standard webpack-minified browser bundle for the secretjs SDK. The license header and module pattern confirm legitimate webpack output, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:dist/browser.js | AI (source-diff): Network calls and dynamic module loading in dist/browser.js are expected for a blockchain client SDK (RPC calls + webpack module system). Not a dropper/loader pattern. | ai | |
| provenance | no-provenance | AI (provenance): Lack of Sigstore provenance is a governance concern but not a code-level security risk for this mature package. | ai | |
| phantom-deps | phantom-dep:@osmonauts/helpers | AI (phantom-deps): Referenced in build config; phantom-dep pattern is stable for this package across versions. | ai | |
| phantom-deps | phantom-dep:sinon | AI (phantom-deps): Sinon is a test/build dependency referenced in config; phantom-dep pattern is stable for this package. | ai | |
| phantom-deps | phantom-dep:@cosmjs/math | AI (phantom-deps): Legitimate declared dependency for a crypto SDK; used in build/config context. Not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:patch-package | AI (phantom-deps): patch-package is intentionally declared as a runtime dep to support the postinstall script; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:google-protobuf | AI (phantom-deps): google-protobuf is a legitimate protobuf runtime dependency for this Secret Network SDK; referenced in build config. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): postinstall runs `patch-package`, a standard tool for patching node_modules. This is a documented, legitimate pattern for this SDK and stable across versions. | ai | |
| dependencies | unvetted-dep:google-protobuf | AI (dependencies): google-protobuf is a Google-published, widely-used protobuf library. Stable false positive for this package. | ai | |
| source-diff | encoded-string-file:dist/browser.js | AI (source-diff): Long encoded strings in dist/browser.js are standard webpack UMD bundle output, not obfuscated malicious payloads. The license header and bundle structure confirm legitimate build output. | ai |
Versions (showing 96 of 96)
| Version | Deps | Published |
|---|---|---|
| 1.21.2 | 18 / 22 | |
| 1.21.1 | 18 / 22 | |
| 1.15.0 | 18 / 22 | |
| 1.12.5 | 16 / 21 | |
| 1.12.4 | 16 / 21 | |
| 1.12.3 | 16 / 21 | |
| 1.12.2 | 16 / 21 | |
| 1.12.1 | 16 / 21 | |
| 1.12.0 | 16 / 21 | |
| 1.11.1 | 17 / 21 | |
| 1.11.0 | 17 / 21 | |
| 1.9.3 | 18 / 20 | |
| 1.9.2 | 18 / 20 | |
| 1.9.1 | 18 / 20 | |
| 1.9.0 | 18 / 20 | |
| 1.8.1 | 18 / 20 | |
| 1.8.0 | 18 / 20 | |
| 1.7.2 | 18 / 20 | |
| 1.7.1 | 18 / 20 | |
| 1.6.14 | 18 / 20 | |
| 1.6.13 | 18 / 20 | |
| 1.6.12 | 18 / 20 | |
| 1.6.11 | 18 / 20 | |
| 1.6.10 | 18 / 20 | |
| 1.6.9 | 18 / 20 | |
| 1.6.8 | 18 / 20 | |
| 1.6.7 | 18 / 20 | |
| 1.6.6 | 18 / 20 | |
| 1.6.5 | 18 / 20 | |
| 1.6.4 | 18 / 20 | |
| 1.6.3 | 18 / 20 | |
| 1.6.2 | 18 / 20 | |
| 1.6.1 | 18 / 20 | |
| 1.6.0 | 18 / 20 | |
| 1.5.3 | 17 / 18 | |
| 1.5.1 | 17 / 18 | |
| 1.5.0 | 17 / 18 | |
| 1.4.7 | 19 / 20 | |
| 1.4.6 | 19 / 20 | |
| 1.4.5 | 19 / 20 | |
| 1.4.4 | 18 / 19 | |
| 1.4.3 | 18 / 19 | |
| 1.4.2 | 18 / 19 | |
| 1.4.1 | 18 / 19 | |
| 1.4.0 | 18 / 19 | |
| 0.17.8 | 11 / 4 | |
| 0.17.7 | 11 / 4 | |
| 0.17.6 | 11 / 4 | |
| 0.17.5 | 11 / 4 | |
| 0.17.4 | 11 / 4 | |
| 0.17.3 | 11 / 4 | |
| 0.17.2 | 11 / 4 | |
| 0.17.1 | 11 / 4 | |
| 0.17.0 | 11 / 4 | |
| 0.16.7 | 10 / 4 | |
| 0.16.6 | 10 / 4 | |
| 0.16.5 | 10 / 4 | |
| 0.16.4 | 10 / 4 | |
| 0.16.3 | 10 / 4 | |
| 0.16.2 | 10 / 4 | |
| 0.16.1 | 10 / 4 | |
| 0.16.0 | 10 / 4 | |
| 0.15.1 | 10 / 4 | |
| 0.15.0 | 10 / 4 | |
| 0.14.2 | 10 / 4 | |
| 0.14.1 | 10 / 4 | |
| 0.14.0 | 10 / 4 | |
| 0.13.0 | 10 / 4 | |
| 0.12.0 | 10 / 4 | |
| 0.11.0 | 11 / 2 | |
| 0.10.5 | 11 / 2 | |
| 0.10.4 | 11 / 2 | |
| 0.10.3 | 11 / 2 | |
| 0.10.2 | 11 / 2 | |
| 0.10.0 | 11 / 2 | |
| 0.9.20 | 11 / 2 | |
| 0.9.19 | 11 / 2 | |
| 0.9.18 | 11 / 2 | |
| 0.9.17 | 11 / 2 | |
| 0.9.16 | 11 / 2 | |
| 0.9.15 | 11 / 2 | |
| 0.9.14 | 11 / 2 | |
| 0.9.13 | 11 / 2 | |
| 0.9.12 | 11 / 2 | |
| 0.9.11 | 11 / 2 | |
| 0.9.10 | 11 / 2 | |
| 0.9.9 | 12 / 2 | |
| 0.9.8 | 12 / 2 | |
| 0.9.7 | 12 / 2 | |
| 0.9.6 | 12 / 2 | |
| 0.9.5 | 6 / 9 | |
| 0.9.4 | 6 / 9 | |
| 0.9.3 | 6 / 2 | |
| 0.9.2 | 12 / 2 | |
| 0.9.1 | 12 / 2 | |
| 0.9.0 | 6 / 2 |
v1.21.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.