@parcel/node-resolver-core

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devongovett

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@parcel/node-libs-browser	AI (dependencies): @parcel/node-libs-browser is an internal Parcel monorepo package published by the same trusted maintainer (devongovett); this dependency relationship is stable and expected across all versions.	ai	2026/04/24
npm-metadata	no-description	AI (npm-metadata): Internal Parcel monorepo sub-package; missing description is expected and stable across versions.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Parcel packages have historically not used Sigstore provenance; this is consistent across the ecosystem and not a risk signal.	ai	2026/04/24
npm-metadata	bundled-binaries	AI (npm-metadata): These are expected NAPI native bindings for the Parcel resolver, compiled for multiple platforms. Standard pattern for this package; not backdoors.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used solely to run 'which ldd' to detect musl libc for native binary selection. Benign and publicly documented in the Parcel repo.	ai	2026/04/24
semgrep	semgrep:child-process-execsync	AI (semgrep): execSync('which ldd') is used to detect musl libc environment for NAPI binary selection. Hardcoded safe command, not user-controlled input.	ai	2026/04/24

Versions (showing 68 of 68)

Hide prereleases

Version	Deps	Published
3.7.4	7 / 22	2026-02-02
3.7.3	7 / 22	2025-12-06
3.7.2	7 / 22	2025-12-06
3.7.1	7 / 22	2025-11-05
3.7.0	7 / 22	2025-09-18
3.6.4	7 / 22	2025-06-20
3.6.3	7 / 22	2025-06-20
3.6.2	7 / 22	2025-05-25
3.6.1	7 / 22	2025-05-16
3.6.0	7 / 22	2025-05-12
3.5.4	7 / 22	2025-03-29
3.5.3	7 / 22	2025-03-29
3.5.2	7 / 22	2025-03-23
3.5.1	7 / 22	2025-03-19
3.5.0	7 / 22	2025-03-18
3.4.3	7 / 22	2024-12-16
3.4.2	7 / 22	2024-11-25
3.4.1	7 / 22	2024-11-25
3.4.0	7 / 22	2024-11-12
3.3.0	7 / 22	2024-02-28
3.2.0	7 / 22	2024-01-04
3.1.3	7 / 23	2023-11-15
3.1.2	7 / 23	2023-11-02
3.1.1	7 / 23	2023-10-24
3.1.0	7 / 23	2023-10-11
3.0.3	6 / 23	2023-06-25
3.0.2	6 / 23	2023-06-08
3.0.1	6 / 23	2023-05-27
3.0.0	6 / 23	2023-05-26
2.8.3	4 / 22	2023-01-18
2.8.2	4 / 22	2022-12-14
2.8.1	4 / 22	2022-12-08
2.8.0	4 / 22	2022-11-09
2.7.0	4 / 22	2022-08-03
2.6.2	4 / 22	2022-06-22
2.6.1	4 / 22	2022-06-17
2.6.0	3 / 22	2022-05-25
2.5.0	3 / 22	2022-04-21
2.4.1	3 / 22	2022-03-31
2.4.0	3 / 22	2022-03-22
2.3.2	3 / 22	2022-02-18
2.3.1	3 / 22	2022-02-10
2.3.0	3 / 22	2022-02-09
2.2.1	5 / 0	2022-01-17
2.2.0	5 / 0	2022-01-12
2.1.1	5 / 0	2022-01-06
2.1.0	5 / 0	2022-01-05
2.0.1	5 / 0	2021-11-08
2.0.0	5 / 0	2021-10-13
3.7.5-canary.3498	7 / 22	2026-02-03
3.7.4-canary.3496	7 / 22	2025-12-07
3.7.2-canary.3489	7 / 22	2025-11-06
3.7.1-canary.3487	7 / 22	2025-10-24
3.7.1-canary.3486	7 / 22	2025-09-19
3.6.5-canary.3484	7 / 22	2025-08-31
3.6.5-canary.3483	7 / 22	2025-06-21
3.6.3-canary.3476	7 / 22	2025-06-08
3.6.3-canary.3473	7 / 22	2025-05-29
3.6.3-canary.3472	7 / 22	2025-05-25
3.6.2-canary.3465	7 / 22	2025-05-21
3.6.2-canary.3460	7 / 22	2025-05-19
3.6.2-canary.3458	7 / 22	2025-05-17
3.6.1-canary.3456	7 / 22	2025-05-16
3.6.1-canary.3455	7 / 22	2025-05-13
3.5.5-canary.3449	7 / 22	2025-05-11
3.5.5-canary.3443	7 / 22	2025-05-11
3.5.5-canary.3442	7 / 22	2025-04-30
3.5.5-canary.3441	7 / 22	2025-04-28

v3.7.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.7.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.7.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.7.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

2 findings

HIGH Bundled binary files (8) npm-metadata

Package contains compiled binaries that could be backdoors: • parcel-resolver.darwin-arm64.node • parcel-resolver.darwin-x64.node • parcel-resolver.linux-arm-gnueabihf.node • parcel-resolver.linux-arm64-gnu.node • parcel-resolver.linux-arm64-musl.node • parcel-resolver.linux-x64-gnu.node • parcel-resolver.linux-x64-musl.node • parcel-resolver.win32-x64-msvc.node

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

2 findings

HIGH Bundled binary files (8) npm-metadata

Package contains compiled binaries that could be backdoors: • parcel-resolver.darwin-arm64.node • parcel-resolver.darwin-x64.node • parcel-resolver.linux-arm-gnueabihf.node • parcel-resolver.linux-arm64-gnu.node • parcel-resolver.linux-arm64-musl.node • parcel-resolver.linux-x64-gnu.node • parcel-resolver.linux-x64-musl.node • parcel-resolver.win32-x64-msvc.node

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.8.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.