← Home

@napi-rs/lzma

npm Repository Homepage

https://docs.rs/lzma-rs binding to Node.js via https://napi.rs

14
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

broooooklynforehalo

Keywords

Node-APInapilzmacompressdecompressxznapi-rs

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@napi-rs/lzma-linux-arm-gnueabihf AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-linux-arm64-gnu AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-win32-ia32-msvc AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-linux-arm64-musl AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-win32-arm64-msvc AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-darwin-x64 AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-freebsd-x64 AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-darwin-arm64 AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-android-arm64 AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-linux-x64-gnu AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-linux-x64-musl AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
phantom-deps phantom-dep:@napi-rs/lzma-win32-x64-msvc AI (phantom-deps): Platform-specific binary packages declared as optionalDependencies for NAPI native binding; loaded dynamically at runtime. ai
semgrep semgrep:child-process-execsync AI (semgrep): execSync('ldd --version') is standard napi-rs pattern for musl detection when selecting prebuilt binaries. Hardcoded command, not user-controlled. ai
semgrep semgrep:child-process-import AI (semgrep): child_process import is used solely for ldd --version musl detection in napi-rs binary selection logic. Benign and stable for this package. ai
semgrep semgrep:dynamic-require AI (semgrep): NAPI_RS_NATIVE_LIBRARY_PATH dynamic require is documented napi-rs escape hatch for custom native library paths. Standard boilerplate for this ecosystem. ai
provenance publisher-changed AI (provenance): napi-rs packages routinely publish via GitHub Actions CI/CD; SLSA provenance attestation confirms legitimate pipeline. This pattern is stable for this package. ai

Versions (showing 14 of 14)

Version Deps Published
1.4.5 0 / 14
1.4.4 0 / 14
1.4.3 0 / 14
1.4.2 0 / 15
1.4.1 0 / 15
1.4.0 0 / 15
1.3.1 0 / 15
1.3.0 0 / 15
1.2.1 0 / 14
1.2.0 0 / 14
1.1.2 13 / 13
1.1.1 13 / 13
1.1.0 0 / 13
1.0.0 13 / 12

v1.4.5

2 findings
HIGH Publisher changed: broooooklyn → GitHub Actions (on 2025-08-10) provenance

This version was published by a different npm account than previous versions on 2025-08-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.