@chainlink/contracts-ccip

Chainlink smart contracts for CCIP

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

secure.ericzsecure.javiersecure.andrewnotoriousenigmasecure_handersonnpmserviceaccount-cllm4ussecure.thanh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@chainlink/contracts	AI (dependencies): Same-org dependency from Chainlink; legitimate and expected for this package.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-4.8.3	AI (dependencies): OpenZeppelin contracts is a well-known, trusted Solidity library; aliased version pattern is standard for multi-version support.	ai	2026/04/25
dependencies	unvetted-dep:@openzeppelin/contracts-5.0.2	AI (dependencies): OpenZeppelin contracts is a well-known, trusted Solidity library; aliased version pattern is standard for multi-version support.	ai	2026/04/25
phantom-deps	phantom-dep:semver	AI (phantom-deps): Used in config/tooling scripts for this Solidity package; not a JS import pattern concern.	ai	2026/04/25
phantom-deps	phantom-dep:@changesets/cli	AI (phantom-deps): Changeset tooling dependency referenced in config; standard release management pattern.	ai	2026/04/25
phantom-deps	phantom-dep:@chainlink/contracts	AI (phantom-deps): Same-org Solidity dependency; phantom-dep flag is expected for Solidity packages not directly JS-imported.	ai	2026/04/25
phantom-deps	phantom-dep:@changesets/get-github-info	AI (phantom-deps): Changeset tooling dependency referenced in config; standard release management pattern.	ai	2026/04/25
phantom-deps	phantom-dep:@openzeppelin/contracts-4.8.3	AI (phantom-deps): Solidity dependency aliased for multi-version support; not directly JS-imported by design.	ai	2026/04/25
phantom-deps	phantom-dep:@openzeppelin/contracts-5.0.2	AI (phantom-deps): Solidity dependency aliased for multi-version support; not directly JS-imported by design.	ai	2026/04/25
license	uncommon-license:BUSL-1.1	AI (license): BUSL-1.1 is Chainlink's intentional license choice for their contracts; not a security concern.	ai	2026/04/25

Versions (showing 5 of 5)

Version	Deps	Published
1.6.4	6 / 2	2025-12-03
1.6.3	6 / 2	2025-11-04
1.6.2	6 / 2	2025-10-03
1.6.1	4 / 2	2025-08-28
1.6.0	4 / 2	2025-05-20

v1.6.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.