@azure/storage-blob
Microsoft Azure Storage SDK for JavaScript - Blob
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Flagged occurrences are code comments documenting the Azure Storage Emulator's localhost endpoint (127.0.0.1:10000). No actual HTTP requests to raw IPs; stable false positive for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Buffer.from(accountKey, 'base64') is the standard decoding of Azure Storage shared key credentials for HMAC signing. Expected and documented behavior; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@azure/core-lro | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/core-xml | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/core-auth | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/core-util | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/core-client | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| provenance | no-provenance | AI (provenance): Official Microsoft Azure SDK published by microsoft1es with established identity; lack of Sigstore provenance is not a meaningful risk signal for this publisher. | ai | |
| dependencies | unvetted-dep:@azure/core-tracing | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/storage-common | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/abort-controller | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/core-http-compat | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/core-rest-pipeline | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/core-paging | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem. | ai | |
| dependencies | unvetted-dep:@azure/logger | AI (dependencies): Official @azure scoped package from the same Microsoft Azure SDK ecosystem; unvetted status reflects review pipeline lag, not a security concern. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 12.31.0 | 14 / 20 | |
| 12.30.0 | 14 / 20 | |
| 12.29.1 | 14 / 20 | |
| 12.29.0 | 14 / 16 | |
| 12.28.0 | 14 / 16 | |
| 12.27.0 | 13 / 31 | |
| 12.26.0 | 13 / 31 | |
| 12.25.0 | 13 / 34 | |
| 12.24.0 | 13 / 34 | |
| 12.23.0 | 13 / 34 | |
| 12.18.0 | 8 / 42 | |
| 12.17.0 | 8 / 42 | |
| 12.16.0 | 8 / 42 | |
| 12.15.0 | 8 / 42 | |
| 12.14.0 | 8 / 42 | |
| 12.13.0 | 8 / 42 | |
| 12.12.0 | 8 / 42 | |
| 12.11.0 | 8 / 42 | |
| 12.10.0 | 8 / 42 | |
| 12.9.0 | 8 / 42 | |
| 12.8.0 | 8 / 54 | |
| 12.7.0 | 8 / 54 | |
| 12.6.0 | 8 / 53 | |
| 12.5.0 | 9 / 52 | |
| 12.4.1 | 9 / 53 | |
| 12.4.0 | 9 / 49 | |
| 12.3.0 | 9 / 47 | |
| 12.2.1 | 9 / 52 | |
| 12.2.0 | 9 / 52 | |
| 12.1.2 | 9 / 51 | |
| 12.1.1 | 9 / 52 | |
| 12.1.0 | 9 / 52 | |
| 12.0.2 | 9 / 51 | |
| 12.0.1 | 9 / 58 | |
| 12.0.0 | 8 / 62 | |
| 10.5.0 | 3 / 59 | |
| 10.4.1 | 3 / 59 | |
| 10.4.0 | 3 / 60 | |
| 10.3.0 | 3 / 37 |
v12.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.29.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.