@oxc-node/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @oxc-node/core is a scoped package in the legitimate oxc-project ecosystem; 'core' is a common word and the match to 'cors' is purely coincidental with no typosquat intent. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used only to run 'ldd --version' for musl detection in napi-rs native binary selection — a standard, benign pattern for this type of package. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('ldd --version') is a hardcoded, benign command for musl libc detection in napi-rs native binding loader — stable false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require on NAPI_RS_NATIVE_LIBRARY_PATH is a standard napi-rs escape hatch for overriding native library path — documented and intentional behavior. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.1.0 | 1 / 2 | |
| 0.0.35 | 1 / 2 | |
| 0.0.34 | 1 / 2 | |
| 0.0.33 | 1 / 2 | |
| 0.0.32 | 1 / 2 | |
| 0.0.31 | 1 / 2 | |
| 0.0.30 | 1 / 2 | |
| 0.0.29 | 1 / 2 | |
| 0.0.28 | 1 / 2 | |
| 0.0.27 | 1 / 2 | |
| 0.0.26 | 1 / 2 | |
| 0.0.25 | 1 / 2 | |
| 0.0.24 | 1 / 2 |
v0.0.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.32
2 findingsThis version was published by a different npm account than previous versions on 2025-08-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.31
2 findingsThis version was published by a different npm account than previous versions on 2025-08-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.