@asamuzakjp/dom-selector

A CSS selector engine.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

asamuzakjp

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:src/js/nwsapi.js	AI (source-diff): Vendored fork of nwsapi; Function() builds CSS selector resolvers, not network/exec malware.	ai	2026/05/29
source-diff	obfuscated-file:dist/cjs/js/constant.js	AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/js/parser.js	AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification.	ai	2026/04/21
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type definitions are conventionally loaded; stable pattern for TypeScript packages.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/js/utility.js	AI (source-diff): Minified output from esbuild build step (documented in package.json compat script); stable for this package's build process.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/index.cjs	AI (source-diff): Minified CJS bundle output from tsup bundler; source available in src/ directory with TypeScript types. Standard build artifact, not obfuscation hiding malicious code.	ai	2026/04/21
dependencies	unvetted-dep:@types/node	AI (dependencies): @types/node is a Microsoft-maintained TypeScript type package; its use as a runtime dependency in a TypeScript project is a common pattern and poses no security risk.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): Size increase is explained by addition of finder.js module (~83KB source + ~84KB CJS build + ~135KB source map). Legitimate feature addition to a CSS selector engine by a trusted publisher.	ai	2026/04/21
phantom-deps	phantom-dep:@types/css-tree	AI (phantom-deps): Type definitions are conventionally loaded; stable pattern for TypeScript packages.	ai	2026/04/21
dependencies	unvetted-dep:@types/css-tree	AI (dependencies): @types/css-tree is a standard TypeScript type definition package for css-tree, appropriate for a DOM selector library. No security concern.	ai	2026/04/21
dependencies	unvetted-dep:nwsapi	AI (dependencies): nwsapi is a legitimate CSS selector library; its addition to a DOM selector engine is contextually appropriate and pinned to a specific version.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/js/dom-util.js	AI (source-diff): Minified CommonJS output from esbuild build process; legitimate build artifact with source maps and TypeScript sources available.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/js/matcher.js	AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification.	ai	2026/04/21
source-diff	obfuscated-file:dist/cjs/js/finder.js	AI (source-diff): Minified output from documented esbuild build step; source files included in package for verification.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependency is @asamuzakjp/nwsapi, another package from the same trusted publisher; not an external third-party addition.	ai	2026/04/21
dependencies	unvetted-dep:bidi-js	AI (dependencies): Legitimate dependency for bidirectional text handling in CSS selector engine; version constraint is reasonable.	ai	2026/04/21
dependencies	unvetted-dep:xpath	AI (dependencies): xpath is a well-established npm package for XPath evaluation; its use in a DOM selector library is functionally appropriate and not a security concern.	ai	2026/04/21
dependencies	unvetted-dep:is-potential-custom-element-name	AI (dependencies): Focused utility for validating custom element names; appropriate for DOM selector domain.	ai	2026/04/21
dependencies	unvetted-dep:css-tree	AI (dependencies): css-tree is a well-established CSS parser; legitimate for a DOM selector library.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Package predates Sigstore adoption; no provenance is not a security signal for established packages.	ai	2026/04/21

Versions (showing 51 of 212)

View all versions

Version	Deps	Published
8.0.2	4 / 21	2026-05-20
8.0.1	4 / 21	2026-05-02
8.0.0	4 / 21	2026-05-02
7.1.1	5 / 21	2026-04-19
7.1.0	5 / 21	2026-04-18
7.0.10	5 / 21	2026-04-15
7.0.9	4 / 20	2026-04-09
7.0.8	4 / 20	2026-04-07
7.0.7	4 / 20	2026-04-06
7.0.6	5 / 20	2026-04-04
7.0.5	5 / 20	2026-04-03
7.0.4	5 / 19	2026-03-20
7.0.3	5 / 19	2026-03-15
7.0.2	5 / 19	2026-03-13
7.0.1	5 / 19	2026-03-03
7.0.0	5 / 19	2026-02-22
6.8.1	5 / 21	2026-02-14
6.8.0	5 / 21	2026-02-14
6.7.8	5 / 21	2026-02-05
6.7.7	5 / 21	2026-01-31
6.7.6	5 / 21	2025-12-06
6.7.5	5 / 21	2025-11-30
6.7.4	5 / 23	2025-10-31
6.7.3	5 / 23	2025-10-24
6.7.2	5 / 23	2025-10-18
6.7.0	5 / 23	2025-10-17
6.6.2	5 / 23	2025-10-11
6.6.1	5 / 23	2025-10-05
6.5.7	5 / 20	2025-09-30
6.5.6	5 / 20	2025-09-23
6.5.5	4 / 20	2025-09-17
6.5.4	4 / 20	2025-08-20
6.5.3	4 / 20	2025-07-16
6.5.2	4 / 20	2025-07-11
6.5.1	4 / 20	2025-07-09
6.5.0	4 / 20	2025-04-15
6.4.7	4 / 21	2025-03-24
6.4.6	4 / 21	2025-03-22
6.4.5	4 / 21	2025-03-15
6.4.4	4 / 21	2025-03-12
6.4.3	4 / 21	2025-03-12
6.4.2	4 / 20	2025-02-01
6.4.0	4 / 21	2025-01-13
6.3.7	4 / 20	2024-12-15
6.3.5	4 / 20	2024-11-14
6.3.4	4 / 20	2024-11-11
6.3.3	4 / 20	2024-11-10
6.3.2	4 / 20	2024-11-10
6.3.1	4 / 20	2024-11-10
6.3.0	4 / 20	2024-11-10
6.2.2	4 / 20	2024-11-03

v8.0.2

2 findings

HIGH New file with network + code execution: src/js/nwsapi.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.