@aztec/aztec-node — Greenflagged

The Aztec Node implements a sequencer node in the network, and is currently meant to be used for local development and testing. The Node is the entrypoint for creating and starting a new Sequencer client with default components (a local P2P client, an in-

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

zac-williamsonleilawangcharlielyejaosefjoss-aztecprotocolludamad

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Established @aztec monorepo package; lack of provenance is a hygiene gap, not a security concern for this trusted namespace.	ai	2026/04/27
dependencies	unvetted-dep:@aztec/noir-protocol-circuits-types	AI (dependencies): Same-org @aztec/ scoped package released in lockstep at matching version; consistent monorepo release pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/validator-ha-signer	AI (phantom-deps): Same-org @aztec/ scoped package; phantom detection is a false positive in this monorepo context.	ai	2026/04/27
dependencies	unvetted-dep:@aztec/node-lib	AI (dependencies): Same-org @aztec/ scoped package released in lockstep at matching version; consistent monorepo release pattern.	ai	2026/04/27
phantom-deps	phantom-dep:koa-router	AI (phantom-deps): koa-router is declared as a runtime dependency and referenced in config files; phantom-dep false positive for this server package.	ai	2026/04/27
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a known implicit TypeScript runtime dependency; phantom-dep false positive stable for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/merkle-tree	AI (phantom-deps): Same-org @aztec scoped dependency declared in package.json; phantom-dep false positive for monorepo packages.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/l1-artifacts	AI (phantom-deps): Same-org @aztec scoped dependency declared in package.json; phantom-dep false positive for monorepo packages.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/noir-protocol-circuits-types	AI (phantom-deps): Same-org @aztec scoped dependency declared in package.json; phantom-dep false positive for monorepo packages.	ai	2026/04/27
phantom-deps	phantom-dep:koa	AI (phantom-deps): koa is declared as a runtime dependency and referenced in config files; phantom-dep false positive for this server package.	ai	2026/04/27

Versions (showing 9 of 9)

Version	Deps	Published
4.3.0	30 / 8	2026-05-20
4.2.1	30 / 8	2026-05-07
4.2.0	30 / 8	2026-04-15
4.1.3	30 / 8	2026-04-02
4.1.2	30 / 8	2026-03-26
4.0.2	30 / 8	2026-02-27
2.1.6	27 / 7	2025-11-16
2.1.4	27 / 7	2025-11-12
2.1.3	27 / 7	2025-11-12

v4.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.