@aztec/node-lib — Greenflagged

Shared code for Aztec Nodes and Prover Nodes.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

zac-williamsonleilawangcharlielyejaosefjoss-aztecprotocolludamad

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dest/factories/l1_tx_utils.d.ts	AI (source-diff): TypeScript .d.ts files with complex generic type signatures routinely exceed 3000 chars; not obfuscation.	ai	2026/04/27
semgrep	semgrep:base64-decode	AI (semgrep): Base64 used for blob serialization in storage layer — standard data encoding, not payload hiding.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/blob-sink	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/simulator	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/epoch-cache	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/merkle-tree	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/prover-client	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a well-known implicit TypeScript runtime dependency; not directly imported but used transitively. Stable false positive for TypeScript monorepo packages.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/telemetry-client	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/validator-client	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/protocol-contracts	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
bogus-package	bogus-package	AI (bogus-package): Internal monorepo sub-package of the Aztec Protocol project; missing README/repo/keywords is typical for published monorepo sub-packages, not spam.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/sequencer-client	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@aztec/bb-prover	AI (phantom-deps): Same-org monorepo sibling dependency; phantom detection is a false positive for Aztec's monorepo publish pattern.	ai	2026/04/27