← Home

@datadog/native-iast-taint-tracking

npm Repository Homepage

Datadog IAST tant tracking support for NodeJS

2
Versions
Apache-2.0
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

datadog

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
install-scripts install-script:install AI (install-scripts): Install script is literally `exit 0` — a no-op placeholder; stable for this native addon package. ai
npm-metadata bundled-binaries AI (npm-metadata): Prebuilt .node binaries are the expected distribution mechanism for this native addon; SLSA provenance confirms CI/CD build integrity. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in libc.js to detect Linux libc variant for prebuild selection — standard native addon pattern. ai

Versions (showing 2 of 2)

Version Deps Published
4.1.0 1 / 9
4.0.0 1 / 9

v4.1.0

3 findings
HIGH Package has 'install' script install-scripts

Script: exit 0

HIGH Bundled binary files (56) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/darwin-arm64/node-108.node • prebuilds/darwin-x64/node-108.node • prebuilds/linuxglibc-arm64/node-108.node • prebuilds/linuxglibc-x64/node-108.node • prebuilds/linuxmusl-arm64/node-108.node • prebuilds/linuxmusl-x64/node-108.node • prebuilds/win32-x64/node-108.node • prebuilds/darwin-arm64/node-111.node • prebuilds/darwin-x64/node-111.node • prebuilds/linuxglibc-arm64/node-111.node ... and 46 more

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

3 findings
HIGH Package has 'install' script install-scripts

Script: exit 0

HIGH Bundled binary files (49) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/darwin-arm64/node-108.node • prebuilds/darwin-x64/node-108.node • prebuilds/linuxglibc-arm64/node-108.node • prebuilds/linuxglibc-x64/node-108.node • prebuilds/linuxmusl-arm64/node-108.node • prebuilds/linuxmusl-x64/node-108.node • prebuilds/win32-x64/node-108.node • prebuilds/darwin-arm64/node-111.node • prebuilds/darwin-x64/node-111.node • prebuilds/linuxglibc-arm64/node-111.node ... and 39 more

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.