← Home

@hyperlane-xyz/rebalancer

npm Repository

Hyperlane Warp Route Collateral Rebalancer Service

10
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

nambrotyorhodestkporterpaulbalaji

Keywords

blockchaincollateralhyperlaneinterchainrebalancerwarp-route

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-added AI (maintainer-change): New maintainers are org members; consistent with legitimate team transition in hyperlane-xyz monorepo. ai
publish-pattern new-deps-added AI (publish-pattern): @solana/web3.js and bs58 are canonical Solana packages; appropriate for a cross-chain rebalancer adding Solana support. ai
source-diff large-new-source-files AI (source-diff): 24 new files consistent with Solana chain support being added to the rebalancer service. ai
provenance publisher-changed AI (provenance): Hyperlane monorepo migrated to GitHub Actions CI publishing with SLSA attestation; not an account compromise. ai
maintainer-change maintainer-removed AI (maintainer-change): Removal of noproblemmm aligns with org-level CI publishing migration, not a takeover. ai
dependencies unvetted-dep:@hyperlane-xyz/core AI (dependencies): Same org scope (@hyperlane-xyz monorepo); consistently used across the package family. ai
phantom-deps phantom-dep:@hyperlane-xyz/core AI (phantom-deps): Same org scope; declared dep used transitively, not a phantom risk. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IP is 127.0.0.1 in a test file mocking a local RPC endpoint — not a real network exfiltration risk. ai
phantom-deps phantom-dep:@google-cloud/pino-logging-gcp-config AI (phantom-deps): Framework-scoped GCP logging config package loaded by convention, not direct import. ai
phantom-deps phantom-dep:pino-pretty AI (phantom-deps): pino-pretty is a conventional optional logger formatter, loaded by config not direct import. ai
phantom-deps phantom-dep:express AI (phantom-deps): express is a runtime HTTP server dep, may be loaded dynamically or via framework convention. ai
phantom-deps phantom-dep:yaml AI (phantom-deps): yaml is a config-parsing dep commonly loaded indirectly; stable false positive for this package. ai
phantom-deps phantom-dep:@inquirer/select AI (phantom-deps): CLI prompt library, likely loaded conditionally; stable false positive for this package. ai
phantom-deps phantom-dep:@inquirer/prompts AI (phantom-deps): CLI prompt library, likely loaded conditionally; stable false positive for this package. ai
phantom-deps phantom-dep:@hyperlane-xyz/provider-sdk AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic is unreliable for monorepo packages. ai

Versions (showing 10 of 10)

Version Deps Published
27.3.4 23 / 19
27.3.0 23 / 19
27.2.6 23 / 19
26.0.0 21 / 19
25.5.0 21 / 19
3.1.1 21 / 19
1.0.3 19 / 17
1.0.1 19 / 17
0.1.2 18 / 16
0.1.1 17 / 16

v27.3.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v27.2.6

2 findings
HIGH Publisher changed: noproblemmm → GitHub Actions (on 2026-04-13) provenance

This version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v26.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v25.5.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.