@parcel/source-map — Greenflagged

A source map library purpose-build for the Parcel bundler with a focus on fast combining and manipulating of source-maps.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devongovett

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:detect-libc	AI (phantom-deps): detect-libc removal in v2.0.4 resolves the phantom dependency; stable for this package's build pattern.	ai	2026/04/24
npm-metadata	bundled-binaries	AI (npm-metadata): Bundled .node binaries are the documented distribution mechanism for this native addon package; stable pattern across all versions.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process usage is in build.js, a build-time script for compiling the native addon — not a runtime concern.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads the correct platform-specific .node binary — canonical pattern for multi-platform native addons, not arbitrary code loading.	ai	2026/04/23
dependencies	unvetted-dep:detect-libc	AI (dependencies): detect-libc is a well-known utility for detecting Linux C library variant, appropriate for selecting the correct native binary.	ai	2026/04/23