@peculiar/webcrypto — Greenflagged

A WebCrypto Polyfill for NodeJS

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

rmhriskmicroshineyury.strozhevskypeculiarventuresapilgukdonskovworldthirteen

Keywords

webcryptocryptosharsaecaesdeshmacpbkdf2eddsax25519ed25519x448ed448shake128shake256

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): SLSA provenance attestation present; gitHead absence is a benign CI config change.	ai	2026/05/15
publish-pattern	new-deps-added	AI (publish-pattern): Dep swap within the same org (@peculiar); SLSA provenance confirms clean CI build.	ai	2026/04/30
provenance	publisher-changed	AI (provenance): Moved to GitHub Actions CI/CD publishing with SLSA provenance; legitimate for this org.	ai	2026/04/29
provenance	slsa-provenance	AI (provenance): SLSA attestation is a positive signal; stable accept.	ai	2026/04/29

Versions (showing 56 of 56)

Version	Deps	Published
1.7.1	5 / 9	2026-05-01
1.7.0	5 / 10	2026-04-30
1.6.0	5 / 10	2026-04-29
1.5.0	5 / 13	2024-05-28
1.4.6	5 / 13	2024-03-29
1.4.5	5 / 13	2024-01-22
1.4.4	5 / 13	2024-01-16
1.4.3	5 / 13	2023-03-24
1.4.2	5 / 13	2023-03-21
1.4.1	5 / 15	2022-11-02
1.4.0	5 / 15	2022-05-12
1.3.3	5 / 15	2022-03-25
1.3.2	5 / 15	2022-03-07
1.3.1	5 / 15	2022-03-02
1.3.0	5 / 15	2022-02-24
1.2.3	5 / 15	2021-11-24
1.2.2	5 / 15	2021-11-10
1.2.1	5 / 15	2021-11-10
1.2.0	5 / 15	2021-10-26
1.1.7	5 / 15	2021-05-10
1.1.6	5 / 15	2021-02-04
1.1.5	5 / 15	2021-02-01
1.1.4	5 / 15	2020-11-25
1.1.3	5 / 15	2020-08-10
1.1.2	5 / 15	2020-07-17
1.1.1	5 / 15	2020-05-08
1.1.0	5 / 15	2020-05-07
1.0.29	5 / 15	2020-04-18
1.0.28	5 / 15	2020-04-18
1.0.27	5 / 15	2020-04-06
1.0.26	6 / 15	2020-03-23
1.0.25	6 / 14	2020-03-15
1.0.24	6 / 14	2020-03-15
1.0.23	6 / 11	2020-03-06
1.0.22	6 / 11	2019-12-16
1.0.21	6 / 10	2019-10-12
1.0.20	6 / 10	2019-10-12
1.0.19	6 / 10	2019-09-04
1.0.18	6 / 10	2019-09-04
1.0.17	6 / 10	2019-09-04
1.0.16	6 / 10	2019-08-26
1.0.15	6 / 10	2019-08-24
1.0.14	6 / 10	2019-08-20
1.0.13	6 / 10	2019-08-20
1.0.12	6 / 10	2019-05-26
1.0.11	6 / 10	2019-05-22
1.0.10	6 / 10	2019-05-03
1.0.9	6 / 10	2019-03-28
1.0.8	6 / 10	2019-03-07
1.0.7	6 / 10	2019-03-02
1.0.6	6 / 9	2019-03-02
1.0.5	6 / 9	2019-02-19
1.0.4	6 / 9	2019-02-17
1.0.3	6 / 9	2019-02-15
1.0.2	6 / 9	2019-02-14
1.0.1	6 / 9	2019-01-25

v1.7.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.0

2 findings

HIGH Publisher changed: microshine → GitHub Actions (on 2026-04-29) provenance

This version was published by a different npm account than previous versions on 2026-04-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.