@layerzerolabs/lz-solana-sdk-v2
1
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
layerzero-bot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Localhost 127.0.0.1 used only for LOCAL dev environment config; not a network exfiltration risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads deployment JSON files by network/program name from within the package; not arbitrary module loading. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Standard Solana packet receiver address decoding; expected in blockchain SDK code. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding simulation response logs; standard Solana RPC pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo SDK sub-package; missing description/repo/keywords is common for internal scoped packages. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 3.0.168 | 19 / 26 |