@napi-rs/keyring No license 6 versions

@napi-rs/keyring

npm Repository Homepage

6

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

broooooklynforehalo

Keywords

napi-rsNAPIN-APIRustnode-addonnode-addon-api

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Migrated to GitHub Actions CI/CD publishing with SLSA provenance; consistent with napi-rs ecosystem pattern.	ai	2026/04/27
semgrep	semgrep:child-process-import	AI (semgrep): Used only to detect musl libc via hardcoded 'ldd --version' command; standard napi-rs pattern for selecting the correct prebuilt binary.	ai	2026/04/25
semgrep	semgrep:child-process-execsync	AI (semgrep): Hardcoded 'ldd --version' call to detect musl libc; standard napi-rs binary selection pattern, not user-controlled.	ai	2026/04/25
semgrep	semgrep:dynamic-require	AI (semgrep): NAPI_RS_NATIVE_LIBRARY_PATH env var override is a documented napi-rs escape hatch for custom binary paths; stable pattern across all napi-rs packages.	ai	2026/04/25

Versions (showing 6 of 6)

Version	Deps	Published
1.3.0	0 / 12	2026-04-30
1.2.0	0 / 12	2025-09-02
1.1.10	0 / 12	2025-08-29
1.1.9	0 / 12	2025-07-24
1.1.8	0 / 12	2025-05-20
1.1.7	0 / 12	2025-05-04

v1.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.10

2 findings

HIGH Publisher changed: broooooklyn → GitHub Actions (on 2025-08-29) provenance

This version was published by a different npm account than previous versions on 2025-08-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.