← Home

@napi-rs/wasm-tools

npm Repository Homepage

https://github.com/rustwasm/walrus bindings

5
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

broooooklynforehalo

Keywords

napi-rsNAPIN-APIRustnode-addonnode-addon-api

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): napi-rs packages migrating from manual (broooooklyn) to GitHub Actions CI publishing with SLSA provenance is a documented, security-improving practice for this org. ai
semgrep semgrep:child-process-execsync AI (semgrep): execSync('ldd --version') is a hardcoded musl detection command in napi-rs generated index.js; no user input, stable pattern across all napi-rs packages. ai
semgrep semgrep:child-process-import AI (semgrep): child_process import is solely for ldd --version musl detection in napi-rs boilerplate; not a risk for this package. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require via NAPI_RS_NATIVE_LIBRARY_PATH env var is standard napi-rs override mechanism; documented and stable across all napi-rs packages. ai

Versions (showing 5 of 5)

Version Deps Published
1.0.1 0 / 17
1.0.0 0 / 19
0.0.3 0 / 20
0.0.2 0 / 20
0.0.1 0 / 20

v1.0.1

2 findings
HIGH Publisher changed: broooooklyn → GitHub Actions (on 2025-08-10) provenance

This version was published by a different npm account than previous versions on 2025-08-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.