@aztec/end-to-end
This package includes end-to-end tests that cover Aztec's main milestones. These can be run locally either by starting anvil on a different terminal.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:pg | AI (phantom-deps): End-to-end test package; pg is used in config/test infrastructure, not directly imported in source. Expected for this package type. | ai | |
| phantom-deps | phantom-dep:koa | AI (phantom-deps): Used in test server config files, not directly imported. Expected for e2e test harness. | ai | |
| phantom-deps | phantom-dep:jest | AI (phantom-deps): Jest is the test runner; referenced in config files. Standard phantom-dep pattern for test packages. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript referenced in build/config files. Standard for compiled packages. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): Known implicit runtime dependency for TypeScript compiled output. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in test fixtures uses well-known Hardhat/Anvil test private keys (ac0974bec...). Standard test fixture code, not malicious payload hiding. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): execSync in legacy-jest-resolver.cjs for resolving contract artifact versions during test runs. Standard build/test tooling usage. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw IP references are 127.0.0.1 (localhost) for local telemetry/metrics collection in test environments. Benign test infrastructure pattern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of Kubernetes secrets (POSTGRES_USER/PASSWORD) in test infrastructure. Standard k8s secret handling pattern. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): process.env spread in subprocess helper for test infrastructure to pass environment variables to child processes. Standard test tooling pattern. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() used in a proxy pattern for test wallet utility — legitimate JavaScript Proxy handler, not obfuscation. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 4.3.0 | 78 / 13 | |
| 4.2.1 | 78 / 13 | |
| 4.2.0 | 78 / 13 | |
| 4.1.3 | 78 / 13 | |
| 4.1.2 | 78 / 13 | |
| 2.1.6 | 73 / 11 | |
| 2.1.4 | 73 / 11 | |
| 2.1.3 | 73 / 11 |
v4.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
3 findingsSpreading entire process.env into an object — may capture all secrets 13 | 'pipe' 14 | ], > 15 | env: env ? { 16 | ...process.env, 17 | ...env
Spreading entire process.env into an object — may capture all secrets 25 | const childProcess = spawn(scriptPath, args, { 26 | stdio: ['ignore', 'pipe', 'pipe'], > 27 | env: env ? { ...process.env, ...env } : process.env, 28 | }); 29 | const stdoutChunks: Buffer[] = [];
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.