@codspeed/core — Greenflagged

The core Node library used to integrate with Codspeed runners

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

art049adriencaccia

Keywords

codspeedbenchmarkperformance

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:stack-trace	AI (phantom-deps): stack-trace is a runtime dep used via native bindings/config; not directly imported in JS but legitimately used.	ai	2026/05/31
dependencies	unvetted-dep:node-gyp-build	AI (dependencies): node-gyp-build is the standard loader for prebuilt native addons; expected for this native binding package.	ai	2026/05/27
phantom-deps	phantom-dep:axios	AI (phantom-deps): axios is a declared runtime dependency used indirectly; phantom-dep heuristic fires but this is a stable false positive.	ai	2026/04/30
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped package @codspeed/core is clearly branded; not a typosquat of cors.	ai	2026/04/30
phantom-deps	phantom-dep:form-data	AI (phantom-deps): form-data is a declared runtime dependency; phantom-dep heuristic is a stable false positive here.	ai	2026/04/30
phantom-deps	phantom-dep:find-up	AI (phantom-deps): find-up is a declared runtime dependency; phantom-dep heuristic is a stable false positive here.	ai	2026/04/30
npm-metadata	bundled-binaries	AI (npm-metadata): Native addon package with gypfile:true and node-gyp-build; prebuilt .napi.node files are expected and attested via SLSA provenance.	ai	2026/04/30

Versions (showing 6 of 6)

Version	Deps	Published
5.5.0	5 / 6	2026-05-29
5.4.0	4 / 5	2026-04-28
5.3.0	4 / 5	2026-04-17
5.2.0	4 / 5	2026-02-09
5.1.0	4 / 5	2026-02-03
5.0.0	4 / 5	2025-09-26

v5.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.0

3 findings

HIGH Bundled binary files (3) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/darwin-arm64/node.napi.node • prebuilds/linux-arm64/node.napi.node • prebuilds/linux-x64/node.napi.node

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@codspeed/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.