@chainlink/contracts — Greenflagged

Chainlink smart contracts

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

secure.ericzsecure.javiersecure.andrewnotoriousenigmasecure_handersonnpmserviceaccount-cllm4ussecure.thanh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:semver	AI (phantom-deps): Config-file reference in established smart-contract library; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@changesets/cli	AI (phantom-deps): Changesets tooling for monorepo release management; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@zksync/contracts	AI (phantom-deps): Contract import in smart-contract library; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@scroll-tech/contracts	AI (phantom-deps): Contract import in smart-contract library; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@eth-optimism/contracts	AI (phantom-deps): Contract import in smart-contract library; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@openzeppelin/contracts	AI (phantom-deps): Contract import in smart-contract library; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@arbitrum/nitro-contracts	AI (phantom-deps): Contract import in smart-contract library; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@changesets/get-github-info	AI (phantom-deps): Changesets tooling for monorepo release management; stable pattern.	ai	2026/04/27
phantom-deps	phantom-dep:@openzeppelin/contracts-upgradeable	AI (phantom-deps): Contract import in smart-contract library; stable pattern.	ai	2026/04/27
dependencies	unvetted-dep:@zksync/contracts	AI (dependencies): Official zkSync contracts from matter-labs; pinned to a specific commit hash which reduces supply chain risk. Standard for multi-chain Solidity libraries.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-4.7.3	AI (dependencies): OpenZeppelin contracts are a canonical Solidity dependency; multiple pinned versions are a standard pattern for multi-version support in Solidity contract libraries.	ai	2026/04/25
dependencies	unvetted-dep:@changesets/get-github-info	AI (dependencies): Standard changesets tooling dependency for release management; no security concern.	ai	2026/04/25
npm-metadata	url-dep:@zksync/contracts	AI (npm-metadata): GitHub URL pinned to a specific commit hash (446d391d) for @zksync/contracts is a deliberate reproducibility choice, not a supply chain risk. Standard practice for Solidity contract libraries.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-4.8.3	AI (dependencies): OpenZeppelin contracts are a canonical Solidity dependency; multiple pinned versions are a standard pattern for multi-version support in Solidity contract libraries.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-4.9.6	AI (dependencies): OpenZeppelin contracts are a canonical Solidity dependency; multiple pinned versions are a standard pattern for multi-version support in Solidity contract libraries.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-5.0.2	AI (dependencies): OpenZeppelin contracts are a canonical Solidity dependency; multiple pinned versions are a standard pattern for multi-version support in Solidity contract libraries.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-5.1.0	AI (dependencies): OpenZeppelin contracts are a canonical Solidity dependency; multiple pinned versions are a standard pattern for multi-version support in Solidity contract libraries.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-upgradeable	AI (dependencies): OpenZeppelin upgradeable contracts are a canonical Solidity dependency for this type of smart contract library.	ai	2026/04/25
dependencies	unvetted-dep:@arbitrum/nitro-contracts	AI (dependencies): Official Arbitrum L2 contracts package; standard dependency for a multi-chain Solidity contracts library like @chainlink/contracts.	ai	2026/04/25
dependencies	unvetted-dep:@eth-optimism/contracts	AI (dependencies): Official Optimism L2 contracts package; standard dependency for a multi-chain Solidity contracts library like @chainlink/contracts.	ai	2026/04/25
dependencies	unvetted-dep:@scroll-tech/contracts	AI (dependencies): Official Scroll L2 contracts package; standard dependency for a multi-chain Solidity contracts library like @chainlink/contracts.	ai	2026/04/25

Versions (showing 2 of 2)

Version	Deps	Published
1.5.0	14 / 15	2025-09-30
1.4.0	9 / 36	2025-05-09

v1.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.