@napi-rs/snappy-linux-arm64-gnu

Fastest Snappy compression library in Node.js

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

broooooklynforehalo

Keywords

snappysnapcompressioncompressnapi-rsNAPIN-APIRustNode-APInode-addonnode-addon-api

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): The @napi-rs/snappy ecosystem migrated to GitHub Actions CI/CD publishing with SLSA attestation. This transition from personal account to GitHub Actions is a documented, security-improving pattern for this package family.	ai	2026/04/24
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by a SLSA-attested GitHub Actions publish tied to the official repo is not a takeover indicator. The provenance attestation validates the publish origin.	ai	2026/04/24
npm-metadata	bundled-binaries	AI (npm-metadata): This package's sole purpose is to ship a prebuilt napi-rs .node binary for Linux ARM64. Bundled binary is expected and intentional for this platform-specific sub-package.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Platform-specific napi-rs sub-packages legitimately have no deps and minimal READMEs; documentation lives in the parent @napi-rs/snappy package.	ai	2026/04/24

Versions (showing 16 of 16)

Version	Deps	Published
7.3.3	0 / 0	2025-09-11
7.3.2	0 / 0	2025-08-16
7.3.1	0 / 0	2025-08-04
7.3.0	0 / 0	2025-07-15
7.2.2	0 / 0	2022-11-13
7.2.1	0 / 0	2022-10-23
7.2.0	0 / 0	2022-10-05
7.1.2	0 / 0	2022-08-09
7.1.1	0 / 0	2021-12-22
7.1.0	0 / 0	2021-12-22
7.0.5	0 / 0	2021-11-06
7.0.4	0 / 0	2021-10-28
7.0.3	0 / 0	2021-08-27
7.0.2	0 / 0	2021-08-11
7.0.1	0 / 0	2021-08-04
7.0.0	0 / 0	2021-08-04

v7.3.3

2 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • snappy.linux-arm64-gnu.node

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.3.2

2 findings

HIGH Publisher changed: broooooklyn → GitHub Actions (on 2025-08-16) provenance

This version was published by a different npm account than previous versions on 2025-08-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.3.1

2 findings

HIGH Publisher changed: broooooklyn → GitHub Actions (on 2025-08-04) provenance

This version was published by a different npm account than previous versions on 2025-08-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.