@parcel/watcher
A native C++ Node module for querying and subscribing to filesystem events. Used by Parcel 2.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are platform-specific prebuilt binary packages from the same @parcel org scope plus standard utilities (is-glob, micromatch, detect-libc). This is the documented pattern for native addon distribution. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-linux-arm64-musl | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-win32-ia32 | AI (phantom-deps): Platform-specific prebuilt binary loaded dynamically via require(name) — standard distribution pattern for native addons in this package. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-freebsd-x64 | AI (phantom-deps): Platform-specific prebuilt binary loaded dynamically via require(name) — standard distribution pattern for native addons in this package. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-linux-arm64-glibc | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-win32-x64 | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-darwin-x64 | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-win32-arm64 | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-darwin-arm64 | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-android-arm64 | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-linux-x64-musl | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-linux-arm-glibc | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher-linux-x64-glibc | AI (phantom-deps): Platform-specific prebuilt binary optional dep in same org scope; standard distribution pattern for native addons. | ai | |
| dependencies | unvetted-dep:@parcel/utils | AI (dependencies): @parcel/utils is a first-party Parcel monorepo package published by the same trusted publisher (devongovett); not a third-party risk. | ai | |
| dependencies | unvetted-dep:node-gyp-build | AI (dependencies): node-gyp-build is a standard native addon dependency; no risk for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Prebuilt .node binaries are the documented distribution mechanism for this native C++ filesystem watcher; expected for all versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established package from the Parcel bundler ecosystem; bogus-package signals are false positives here. | ai | |
| provenance | no-provenance | AI (provenance): Package predates widespread Sigstore/provenance adoption; absence is expected for this version. | ai | |
| dependencies | unvetted-dep:detect-libc | AI (dependencies): detect-libc is a standard utility for detecting glibc/musl to select correct prebuilt binary; well-known in native addon ecosystem. | ai | |
| dependencies | unvetted-dep:node-addon-api | AI (dependencies): node-addon-api is the official N-API C++ wrapper maintained by the Node.js team; standard dependency for native addons. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load the correct platform-specific prebuilt binary; standard and expected pattern for this package. | ai | |
| phantom-deps | phantom-dep:node-addon-api | AI (phantom-deps): node-addon-api is a build-time dep for native addons; not directly imported at runtime but referenced in binding config. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in build-from-source.js to compile native addon when prebuilts unavailable. Expected and documented behavior for native Node.js modules. | ai | |
| install-scripts | install-script:install | AI (install-scripts): node-gyp rebuild is the standard native addon build script; legitimate for this C++ filesystem watcher package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 2.5.4 | 4 / 8 | |
| 2.4.1 | 16 / 8 | |
| 2.4.0 | 16 / 8 | |
| 2.3.0 | 16 / 7 | |
| 2.2.0 | 14 / 6 | |
| 2.1.0 | 4 / 6 | |
| 2.0.5 | 2 / 6 | |
| 2.0.3 | 2 / 6 | |
| 2.0.2 | 2 / 6 | |
| 2.0.0 | 2 / 6 | |
| 1.12.1 | 2 / 4 | |
| 1.12.0 | 2 / 4 | |
| 1.11.0 | 2 / 4 |
v2.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.