@napi-rs/canvas
Canvas for Node.js with skia backend
51
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
broooooklynforehalo
Keywords
napi-rsNAPIN-APIRustnode-addonnode-addon-apicanvasimagepdfsvgskia
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@napi-rs/canvas-linux-arm64-musl | AI (dependencies): Standard napi-rs platform-specific optional binary package under the same org scope; identical pattern to other already-accepted platform variants. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-arm64-musl | AI (phantom-deps): Dynamically loaded platform binary following napi-rs convention; not statically imported by design. Same pattern as other accepted platform variants. | ai | |
| dependencies | unvetted-dep:@node-rs/helper | AI (dependencies): @node-rs/helper is the standard napi-rs runtime helper for platform binary loading; legitimate dependency. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-win32-x64-msvc | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-arm64-gnu | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-arm-gnueabihf | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| provenance | no-provenance | AI (provenance): Version 0.0.3 predates npm Sigstore provenance support; absence is expected for packages published in this era. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-darwin-x64 | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-darwin-arm64 | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-android-arm64 | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-x64-gnu | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-x64-musl | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-win32-x64-msvc | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-arm64-gnu | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| dependencies | unvetted-dep:@napi-rs/canvas-linux-arm-gnueabihf | AI (dependencies): Standard napi-rs platform-specific optional binary package; same org scope, expected distribution pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-darwin-x64 | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-darwin-arm64 | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-android-arm64 | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-x64-gnu | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| phantom-deps | phantom-dep:@napi-rs/canvas-linux-x64-musl | AI (phantom-deps): Platform binaries are loaded dynamically via @node-rs/helper, not directly imported; expected napi-rs pattern. | ai | |
| provenance | publisher-changed | AI (provenance): Package now publishes via GitHub Actions CI/CD with SLSA provenance attestation from the canonical Brooooooklyn/canvas repo. This is a legitimate automation transition, not a compromise. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is gated on NAPI_RS_NATIVE_LIBRARY_PATH env var — a documented napi-rs escape hatch for custom native library paths, stable for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used only to detect musl libc via 'ldd --version' for native binary selection — standard napi-rs pattern, stable across versions. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('ldd --version') is a fixed, benign command for musl detection in napi-rs native bindings — not arbitrary shell execution. | ai |
Versions (showing 51 of 112)
| Version | Deps | Published |
|---|---|---|
| 1.0.0 | 0 / 36 | |
| 0.1.100 | 0 / 36 | |
| 0.1.99 | 0 / 36 | |
| 0.1.98 | 0 / 36 | |
| 0.1.97 | 0 / 36 | |
| 0.1.96 | 0 / 36 | |
| 0.1.95 | 0 / 36 | |
| 0.1.94 | 0 / 36 | |
| 0.1.93 | 0 / 36 | |
| 0.1.92 | 0 / 36 | |
| 0.1.91 | 0 / 35 | |
| 0.1.90 | 0 / 35 | |
| 0.1.89 | 0 / 35 | |
| 0.1.88 | 0 / 35 | |
| 0.1.87 | 0 / 35 | |
| 0.1.86 | 0 / 35 | |
| 0.1.85 | 0 / 35 | |
| 0.1.84 | 0 / 33 | |
| 0.1.83 | 0 / 33 | |
| 0.1.82 | 0 / 33 | |
| 0.1.81 | 0 / 33 | |
| 0.1.80 | 0 / 34 | |
| 0.1.79 | 0 / 34 | |
| 0.1.78 | 0 / 34 | |
| 0.1.77 | 0 / 34 | |
| 0.1.76 | 0 / 34 | |
| 0.1.75 | 0 / 34 | |
| 0.1.74 | 0 / 34 | |
| 0.1.73 | 0 / 34 | |
| 0.1.72 | 0 / 33 | |
| 0.1.71 | 0 / 33 | |
| 0.1.70 | 0 / 33 | |
| 0.1.69 | 0 / 33 | |
| 0.1.68 | 0 / 33 | |
| 0.1.67 | 0 / 33 | |
| 0.1.66 | 0 / 33 | |
| 0.1.65 | 0 / 33 | |
| 0.1.64 | 0 / 33 | |
| 0.1.63 | 0 / 33 | |
| 0.1.62 | 0 / 33 | |
| 0.1.61 | 0 / 33 | |
| 0.1.60 | 0 / 33 | |
| 0.1.59 | 0 / 33 | |
| 0.1.58 | 0 / 33 | |
| 0.1.57 | 0 / 33 | |
| 0.1.56 | 0 / 33 | |
| 0.1.55 | 0 / 33 | |
| 0.1.54 | 0 / 33 | |
| 0.1.53 | 0 / 32 | |
| 0.1.52 | 0 / 32 | |
| 0.1.51 | 0 / 37 |
v1.0.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.100
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.