@boost/debug
Lightweight debugging and crash reporting.
46
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
milesj
Keywords
boostdebugdebuggerdebuggingcrashreportreporting
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation; absence is not a security defect for an established, trusted publisher. | ai | |
| dependencies | unvetted-dep:@types/execa | AI (dependencies): @types/execa is a standard TypeScript type definition package for execa; its use alongside execa as a runtime dep is a common TS pattern with no security risk. | ai | |
| dependencies | unvetted-dep:fast-glob | AI (dependencies): fast-glob is a widely-used, well-maintained glob library with no malicious history; its use in a debug/crash-reporting package is legitimate and expected. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The new dependency (fast-glob) is a well-known, benign utility library; addition is consistent with legitimate feature expansion in a crash reporter. | ai | |
| dependencies | unvetted-dep:@boost/internal | AI (dependencies): @boost/internal is a first-party monorepo package by the same publisher (milesj); safe for all @boost/* packages. | ai | |
| dependencies | unvetted-dep:debug | AI (dependencies): `debug` is a ubiquitous, well-known npm package with no malicious history; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:execa | AI (dependencies): `execa` is a widely-used, well-known npm package with no malicious history; stable false positive for this package. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): CrashReporter intentionally enumerates process.env for diagnostic reporting — this is the documented, expected behavior of a crash/debug reporting library. | ai | |
| phantom-deps | phantom-dep:@types/execa | AI (phantom-deps): @types/* packages are TypeScript type definitions consumed by the compiler, not directly imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/debug | AI (phantom-deps): @types/* packages are TypeScript type definitions consumed by the compiler, not directly imported at runtime. Stable false positive for this package. | ai |
Versions (showing 46 of 46)
| Version | Deps | Published |
|---|---|---|
| 5.0.0 | 6 / 0 | |
| 4.0.1 | 6 / 0 | |
| 4.0.0 | 6 / 0 | |
| 3.0.3 | 6 / 0 | |
| 3.0.2 | 6 / 0 | |
| 3.0.1 | 6 / 0 | |
| 3.0.0 | 6 / 0 | |
| 2.2.8 | 6 / 0 | |
| 2.2.7 | 6 / 0 | |
| 2.2.6 | 6 / 0 | |
| 2.2.5 | 6 / 0 | |
| 2.2.4 | 6 / 0 | |
| 2.2.3 | 6 / 0 | |
| 2.2.2 | 6 / 0 | |
| 2.2.1 | 6 / 0 | |
| 2.2.0 | 6 / 0 | |
| 2.1.7 | 6 / 0 | |
| 2.1.6 | 6 / 0 | |
| 2.1.5 | 6 / 0 | |
| 2.1.4 | 6 / 0 | |
| 2.1.3 | 6 / 0 | |
| 2.1.2 | 6 / 0 | |
| 2.1.1 | 6 / 0 | |
| 2.1.0 | 6 / 0 | |
| 2.0.1 | 6 / 0 | |
| 2.0.0 | 6 / 0 | |
| 1.4.7 | 6 / 0 | |
| 1.4.6 | 6 / 0 | |
| 1.4.5 | 6 / 0 | |
| 1.4.4 | 6 / 0 | |
| 1.4.3 | 6 / 0 | |
| 1.4.2 | 6 / 0 | |
| 1.4.1 | 6 / 0 | |
| 1.4.0 | 6 / 0 | |
| 1.3.2 | 5 / 0 | |
| 1.3.1 | 5 / 0 | |
| 1.3.0 | 5 / 0 | |
| 1.2.0 | 5 / 0 | |
| 1.1.3 | 5 / 0 | |
| 1.1.2 | 5 / 0 | |
| 1.1.1 | 5 / 0 | |
| 1.1.0 | 5 / 0 | |
| 1.0.3 | 5 / 0 | |
| 1.0.2 | 5 / 0 | |
| 1.0.1 | 5 / 0 | |
| 1.0.0 | 6 / 0 |