@aztec/cli
The Aztec CLI `aztec-cli` is a command-line interface (CLI) tool for interacting with Aztec. It provides various commands for deploying contracts, creating accounts, interacting with contracts, and retrieving blockchain data.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@aztec/sequencer-client | AI (phantom-deps): Same-org monorepo package; phantom dep detection is a false positive for intra-monorepo transitive resolution patterns. | ai | |
| phantom-deps | phantom-dep:@aztec/node-lib | AI (phantom-deps): Same-org monorepo package; phantom dep detection is a false positive for intra-monorepo transitive resolution patterns. | ai | |
| phantom-deps | phantom-dep:@aztec/slasher | AI (phantom-deps): Same-org monorepo package; phantom dep detection is a false positive for intra-monorepo transitive resolution patterns. | ai | |
| phantom-deps | phantom-dep:source-map-support | AI (phantom-deps): source-map-support is referenced in config/build tooling, not directly imported in source; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper used implicitly by compiled TS output; stable false positive for all @aztec/* packages. | ai | |
| phantom-deps | phantom-dep:@aztec/entrypoints | AI (phantom-deps): Same-org @aztec/* package used transitively; phantom-dep finding is a false positive for monorepo sibling packages. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in this package is standard cryptographic field element handling (Fr.SIZE_IN_BYTES), expected in a ZK protocol CLI tool. Not malicious payload hiding. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @aztec/cli is a scoped package under the well-known Aztec Protocol org; edit-distance match to 'joi' is a false positive with no plausible confusion risk. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 4.3.1 | 28 / 17 | |
| 4.3.0 | 28 / 17 | |
| 4.2.1 | 28 / 17 | |
| 4.2.0 | 28 / 17 | |
| 4.1.3 | 28 / 17 | |
| 4.1.2 | 28 / 17 | |
| 4.1.1 | 28 / 17 | |
| 4.1.0 | 28 / 17 | |
| 4.0.4 | 28 / 17 | |
| 4.0.3 | 28 / 17 | |
| 4.0.2 | 28 / 17 | |
| 4.0.1 | 28 / 17 | |
| 3.0.3 | 26 / 17 | |
| 3.0.2 | 26 / 17 | |
| 3.0.1 | 26 / 17 | |
| 2.1.11 | 23 / 18 | |
| 2.1.9 | 23 / 18 | |
| 2.1.8 | 23 / 18 | |
| 2.1.7 | 23 / 18 | |
| 2.1.6 | 23 / 18 | |
| 2.1.5 | 23 / 18 | |
| 2.1.4 | 23 / 18 | |
| 2.1.3 | 23 / 15 | |
| 2.1.2 | 23 / 15 | |
| 2.0.4 | 20 / 15 |
v4.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.