@layerzerolabs/lz-v2-stellar-sdk

TypeScript SDK for endpoint-v2 Stellar contract

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

layerzero-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:src/generated/uln302.ts	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:src/generated/executor_helper.ts	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:src/generated/executor.ts	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:src/generated/sml.ts	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:dist/generated/bml.js	AI (source-diff): Base64-encoded Stellar contract XDR specs passed to ContractSpec constructor; standard Soroban SDK pattern.	ai	2026/06/01
source-diff	encoded-string-file:dist/generated/counter.js	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:dist/generated/endpoint.js	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:dist/generated/sml.js	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:dist/generated/uln302.js	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:src/generated/bml.ts	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:src/generated/counter.ts	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
source-diff	encoded-string-file:src/generated/endpoint.ts	AI (source-diff): Base64-encoded Stellar contract XDR specs; standard Soroban SDK generated client pattern.	ai	2026/06/01
phantom-deps	phantom-dep:@noble/hashes	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/31
phantom-deps	phantom-dep:@noble/secp256k1	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/31
semgrep	semgrep:base64-decode	AI (semgrep): Fires on generated WASM buffer helpers that embed compiled Stellar contracts as base64; stable pattern for this SDK.	ai	2026/05/31

Versions (showing 31 of 31)

Version	Deps	Published
0.2.84	4 / 7	2026-05-01
0.2.83	4 / 7	2026-04-30
0.2.82	4 / 7	2026-04-28
0.2.81	4 / 7	2026-04-24
0.2.80	4 / 7	2026-04-22
0.2.79	4 / 7	2026-04-20
0.2.78	4 / 7	2026-04-16
0.2.77	4 / 7	2026-04-15
0.2.76	4 / 7	2026-04-15
0.2.75	4 / 7	2026-04-14
0.2.74	4 / 7	2026-04-14
0.2.73	4 / 7	2026-04-14
0.2.72	4 / 7	2026-04-14
0.2.71	4 / 7	2026-04-13
0.2.70	4 / 7	2026-04-13
0.2.69	4 / 7	2026-04-13
0.2.68	4 / 7	2026-04-10
0.2.67	4 / 7	2026-04-09
0.2.66	4 / 7	2026-04-09
0.2.65	4 / 7	2026-04-06
0.2.64	4 / 7	2026-04-01
0.2.63	4 / 7	2026-03-31
0.2.62	4 / 9	2026-03-30
0.2.19	5 / 8	2026-01-22
0.2.15	2 / 9	2026-01-15
0.2.13	2 / 9	2026-01-10
0.2.12	2 / 9	2026-01-10
0.2.11	2 / 9	2026-01-09
0.2.10	2 / 9	2026-01-08
0.2.9	2 / 9	2026-01-07
0.2.8	2 / 9	2025-12-24

v0.2.84

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.83

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.81

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.80

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.79

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.78

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.76

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.75

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.74

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.73

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.72

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.71

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.70

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.69

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.68

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.67

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.66

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.65

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.64

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.63

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.62

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.19

40 findings

HIGH New obfuscated file: dist/generated/dvn_fee_lib.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/dvn.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/executor_fee_lib.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/executor_helper.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/executor.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/oft.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/price_feed.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/treasury.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/dvn_fee_lib.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: src/generated/dvn_fee_lib.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/dvn.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: src/generated/dvn.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/executor_fee_lib.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: src/generated/executor_fee_lib.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/executor_helper.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/executor.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/oft.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: src/generated/oft.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/price_feed.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: src/generated/price_feed.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/generated/treasury.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: src/generated/treasury.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: dist/generated/bml.js source-diff

Modified file contains 36 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/counter.js source-diff

Modified file contains 55 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/endpoint.js source-diff

Modified file contains 77 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/sml.js source-diff

Modified file contains 43 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/uln302.js source-diff

Modified file contains 76 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/bml.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/bml.ts source-diff

Modified file contains 36 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/counter.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/counter.ts source-diff

Modified file contains 55 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/endpoint.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/endpoint.ts source-diff

Modified file contains 77 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/executor_helper.ts source-diff

Modified file contains 52 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/executor.ts source-diff

Modified file contains 76 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/sml.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/sml.ts source-diff

Modified file contains 43 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/uln302.d.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/uln302.ts source-diff

Modified file contains 76 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.15

13 findings

HIGH Long encoded string in modified file: dist/generated/bml.js source-diff

Modified file contains 30 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/counter.js source-diff

Modified file contains 41 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/endpoint.js source-diff

Modified file contains 67 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/sml.js source-diff

Modified file contains 33 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/uln302.js source-diff

Modified file contains 66 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/bml.ts source-diff

Modified file contains 30 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/counter.ts source-diff

Modified file contains 41 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/endpoint.ts source-diff

Modified file contains 67 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/executor_helper.ts source-diff

Modified file contains 44 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/executor.ts source-diff

Modified file contains 67 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/sml.ts source-diff

Modified file contains 33 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/generated/uln302.ts source-diff

Modified file contains 66 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.13

13 findings

HIGH Long encoded string in modified file: dist/generated/bml.js source-diff

Modified file contains 30 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/counter.js source-diff

Modified file contains 38 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/generated/endpoint.js source-diff

Modified file contains 64 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.