@aztec/aztec
Aztec is a package that allows for a simple development environment on Aztec stack. It creates a Private eXecution Environment (PXE) that listens for HTTP requests on `localhost:8080` by default. When started, it deploys all necessary L1 Aztec contracts a
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Active ZK framework with frequent large releases; 30 new files consistent with feature growth across 961 versions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @iarna/toml is a well-known, benign TOML parser; addition is low risk for this package. | ai | |
| dependencies | unvetted-dep:@aztec/test-wallet | AI (dependencies): Same-org @aztec/* monorepo package pinned to matching version; consistent release pattern. | ai | |
| phantom-deps | phantom-dep:koa | AI (phantom-deps): koa is directly imported and used; false positive for this package. | ai | |
| phantom-deps | phantom-dep:@aztec/aztec-faucet | AI (phantom-deps): Same-org monorepo dependency loaded by convention; stable pattern for @aztec packages. | ai | |
| phantom-deps | phantom-dep:@aztec/bb-prover | AI (phantom-deps): Same-org monorepo dependency loaded by convention; stable pattern for @aztec packages. | ai | |
| phantom-deps | phantom-dep:@aztec/entrypoints | AI (phantom-deps): Same-org monorepo dependency loaded by convention; stable pattern for @aztec packages. | ai | |
| phantom-deps | phantom-dep:@aztec/p2p-bootstrap | AI (phantom-deps): Same-org monorepo dependency loaded by convention; stable pattern for @aztec packages. | ai | |
| phantom-deps | phantom-dep:@types/chalk | AI (phantom-deps): Type definition package loaded by TypeScript convention; not a runtime concern. | ai | |
| phantom-deps | phantom-dep:abitype | AI (phantom-deps): ABI type utility used in blockchain projects; referenced in config/type contexts. | ai | |
| phantom-deps | phantom-dep:koa-router | AI (phantom-deps): Koa middleware loaded via framework convention; stable pattern for this package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is fundamental to a blockchain/ZK-rollup project; Buffer.from(hex,'hex') is standard crypto key handling. | ai | |
| provenance | no-provenance | AI (provenance): Established Aztec Protocol package with 443-day history and 896 versions; lack of provenance is consistent across all versions and not a risk indicator here. | ai | |
| dependencies | unvetted-dep:@aztec/aztec-faucet | AI (dependencies): First-party @aztec/* sibling package published at the same version in a monorepo release; not an external unvetted dependency. | ai | |
| dependencies | unvetted-dep:@aztec/cli-wallet | AI (dependencies): First-party @aztec/* sibling package published at the same version in a monorepo release; not an external unvetted dependency. | ai | |
| dependencies | unvetted-dep:@aztec/bb.js | AI (dependencies): First-party @aztec/* sibling package published at the same version in a monorepo release; not an external unvetted dependency. | ai | |
| dependencies | unvetted-dep:@aztec/txe | AI (dependencies): First-party @aztec/* sibling package published at the same version in a monorepo release; not an external unvetted dependency. | ai | |
| dependencies | unvetted-dep:@aztec/noir-protocol-circuits-types | AI (dependencies): First-party @aztec/* sibling package published at the same version in a monorepo release; not an external unvetted dependency. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 4.3.0 | 41 / 7 | |
| 4.2.1 | 40 / 7 | |
| 4.2.0 | 40 / 7 | |
| 4.1.3 | 40 / 7 | |
| 4.1.2 | 40 / 7 | |
| 4.1.1 | 40 / 7 | |
| 4.1.0 | 40 / 7 | |
| 4.0.4 | 40 / 7 | |
| 4.0.2 | 40 / 7 | |
| 4.0.1 | 40 / 7 | |
| 3.0.3 | 39 / 7 | |
| 3.0.2 | 39 / 7 | |
| 3.0.1 | 39 / 7 | |
| 2.1.9 | 38 / 6 | |
| 2.1.8 | 38 / 6 | |
| 2.1.7 | 38 / 6 | |
| 2.1.6 | 38 / 6 | |
| 2.1.5 | 38 / 6 | |
| 2.1.4 | 38 / 6 | |
| 2.1.3 | 38 / 6 | |
| 2.1.2 | 38 / 6 | |
| 2.0.4 | 38 / 6 |
v4.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.