@azure/msal-node-extensions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 169.254.169.254 is the Azure IMDS endpoint; standard usage in all Azure SDKs, not malicious. | ai | |
| npm-metadata | url-dep:rollup-msal | AI (npm-metadata): Monorepo-internal devDependency; no runtime impact. | ai | |
| npm-metadata | url-dep:msal-test-utils | AI (npm-metadata): Monorepo-internal devDependency; no runtime impact. | ai | |
| npm-metadata | url-dep:eslint-config-msal | AI (npm-metadata): Monorepo-internal devDependency; no runtime impact. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Script is literally `exit 0` — a no-op placeholder to suppress node-gyp auto-rebuild; harmless and stable for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): dpapi.node binaries are documented Windows DPAPI native bindings; expected for this credential-storage extension package. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 5.2.3 | 3 / 16 | |
| 5.2.2 | 3 / 16 | |
| 5.1.5 | 3 / 16 | |
| 5.1.2 | 3 / 16 | |
| 5.1.0 | 3 / 16 | |
| 5.0.6 | 3 / 16 | |
| 5.0.5 | 3 / 16 | |
| 5.0.4 | 3 / 16 | |
| 5.0.3 | 3 / 16 | |
| 5.0.2 | 3 / 16 | |
| 1.5.29 | 3 / 16 | |
| 1.5.27 | 3 / 16 | |
| 1.5.26 | 3 / 16 | |
| 1.5.25 | 3 / 16 |
v5.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.5
3 findingsScript: exit 0
Package contains compiled binaries that could be backdoors: • bin/arm64/dpapi.node • bin/ia32/dpapi.node • bin/x64/dpapi.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.