@aztec/ivc-integration
This module is used to test the IVC integration between mock noir protocol circuits and barretenberg.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@aztec/noir-noirc_abi | AI (phantom-deps): Same-org @aztec monorepo package; phantom dep pattern is expected in monorepo publishing workflows. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a well-known implicit TypeScript runtime dependency; stable false positive for TypeScript packages. | ai | |
| phantom-deps | phantom-dep:puppeteer | AI (phantom-deps): puppeteer is a testing/browser automation tool referenced in config files for browser-based ZK proof testing; not a runtime import concern. | ai | |
| phantom-deps | phantom-dep:playwright | AI (phantom-deps): playwright is a testing tool referenced in config files; not a runtime import concern for this ZK integration package. | ai | |
| dependencies | unvetted-dep:@aztec/bb.js | AI (dependencies): @aztec/bb.js is Aztec's Barretenberg ZK proving library — a core internal dependency of the @aztec monorepo, always pinned to the same version. Stable false positive for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used to deserialize ZK circuit bytecode for proof generation — standard practice in ZK tooling, not obfuscation. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package; short README, no repo URL, no keywords, and minimal entry point are all expected for @aztec/* workspace packages. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is used to deserialize ZK circuit verification keys — standard practice in ZK proof tooling, not a malicious payload indicator. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 4.3.1 | 13 / 26 | |
| 4.3.0 | 13 / 26 | |
| 4.2.1 | 13 / 26 | |
| 4.2.0 | 13 / 26 | |
| 4.1.3 | 13 / 26 | |
| 4.1.2 | 13 / 26 | |
| 4.1.1 | 13 / 26 | |
| 4.1.0 | 13 / 26 | |
| 4.0.4 | 13 / 26 | |
| 4.0.3 | 13 / 26 | |
| 4.0.2 | 13 / 26 | |
| 4.0.1 | 13 / 26 | |
| 3.0.3 | 13 / 26 | |
| 3.0.2 | 13 / 26 | |
| 3.0.1 | 13 / 26 | |
| 2.1.11 | 13 / 25 | |
| 2.1.9 | 13 / 25 | |
| 2.1.8 | 13 / 25 | |
| 2.1.7 | 13 / 25 | |
| 2.1.6 | 13 / 25 | |
| 2.1.5 | 13 / 25 | |
| 2.1.4 | 13 / 25 | |
| 2.1.3 | 13 / 25 | |
| 2.1.2 | 13 / 25 | |
| 2.0.4 | 13 / 25 |
v4.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.