@cosmology/protobufjs — Greenflagged

Protocol Buffers for JavaScript (& TypeScript).

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ljunzetazzpyramation

Keywords

protobufprotocol-buffersserializationtypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): pyramation is the established Cosmology team publisher with 2677 approved packages and 2767 days of history; transition from zetazz is a legitimate org consolidation.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer ljun is part of the Cosmology team; addition is consistent with legitimate org-level maintainer management.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): This is a niche ecosystem fork updated infrequently by design; dormancy is expected and publisher track record is strong.	ai	2026/04/23
phantom-deps	phantom-dep:@types/long	AI (phantom-deps): TypeScript type package loaded by convention, not direct import. Expected for protobufjs TypeScript support.	ai	2026/04/23
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): TypeScript type package for Node.js, loaded by convention. Standard for any Node.js TypeScript package.	ai	2026/04/23
phantom-deps	phantom-dep:long	AI (phantom-deps): long is an optional runtime dependency for protobufjs; referenced in config but loaded conditionally. Standard protobufjs pattern.	ai	2026/04/23
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall is the standard protobufjs version-scheme check that reads local package.json; benign and inherited from upstream protobufjs.	ai	2026/04/21
semgrep	semgrep:child-process-exec	AI (semgrep): child_process.exec in pbts.js runs jsdoc with a resolved path — standard CLI tooling behavior for this package.	ai	2026/04/21
semgrep	semgrep:child-process-import	AI (semgrep): child_process used in pbts.js CLI tool to invoke jsdoc for TypeScript definition generation — expected, documented behavior.	ai	2026/04/21
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads local package.json via path.join(__dirname, '..', 'package.json'); not arbitrary code execution, benign upstream pattern.	ai	2026/04/21

Versions (showing 3 of 3)

Version	Deps	Published
7.3.2	13 / 30	2024-06-13
6.11.6	13 / 33	2023-06-21
6.11.5	13 / 33	2023-06-21

v7.3.2

2 findings

HIGH Publisher changed: zetazz → pyramation (on 2024-06-13) provenance

This version was published by a different npm account than previous versions on 2024-06-13. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.11.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.