@uniswap/v4-core
1
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
uniswap-labs-service-accountuniswap-labs-owner-account
Keywords
uniswapcorev4
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is confined to lib/openzeppelin-contracts/certora/run.js, a formal verification runner script for Certora. Not executed at install time; benign developer tooling. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() in certora/run.js loads a user-specified spec file for formal verification. Not reachable at install time; expected pattern for this tooling script. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): proc.spawn('certoraRun', ...) in certora/run.js invokes the Certora formal verification tool. Benign developer tooling, not executed at install time. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is the official Uniswap v4-core with SLSA provenance and verified GitHub repo. README link patterns and dependency structure are consistent with a Solidity smart contract library. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 1.0.2 | 0 / 0 |
v1.0.2
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.