@hyperlane-xyz/cli
A command-line utility for common Hyperlane operations
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Known native bindings (bigint_buffer, napi) consistent with blockchain CLI; stable across versions with SLSA provenance. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @hyperlane-xyz/cli is not a typosquat of joi; false positive from edit-distance heuristic. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode in bundled Solana/crypto dependencies; expected pattern in blockchain CLI. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used in Solana RPC proxy pattern; standard JS metaprogramming in bundled deps. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function in WASM glue code (wbg bindings); standard pattern for wasm-bindgen output. | ai |
v35.0.0
2 findingsPackage contains compiled binaries that could be backdoors: • bundle/build/Release/bigint_buffer.node • bundle/prebuilds/linux-x64/node.napi.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v34.0.0
2 findingsPackage contains compiled binaries that could be backdoors: • bundle/prebuilds/linux-x64/node.napi.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v33.1.0
2 findingsPackage contains compiled binaries that could be backdoors: • bundle/prebuilds/linux-x64/node.napi.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.