← Home

@remix-run/node

npm Repository Homepage

Node.js platform abstractions for Remix

3
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

mjacksonryanflorence

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Remix migrated to GitHub Actions CI/CD for releases; publisher change from mjackson to GitHub Actions is a documented, expected transition backed by SLSA provenance attestation. ai
dependencies unvetted-dep:stream-slice AI (dependencies): Utility dependency for stream handling; appropriate for Node.js platform abstraction. ai
dependencies unvetted-dep:@remix-run/web-fetch AI (dependencies): Internal Remix dependency; part of the official framework monorepo. ai
dependencies unvetted-dep:@remix-run/server-runtime AI (dependencies): Internal Remix dependency; part of the official framework monorepo. ai
dependencies unvetted-dep:undici AI (dependencies): undici is a standard HTTP client dependency for Node.js; expected for @remix-run/node. ai
typosquat typosquat.levenshtein:zod AI (typosquat): False positive; @remix-run/node is a scoped package with clear identity, not a typosquat. ai
phantom-deps phantom-dep:source-map-support AI (phantom-deps): Phantom dependency referenced in config; not a security concern for this package. ai
phantom-deps phantom-dep:@web3-storage/multipart-parser AI (phantom-deps): Phantom dependency referenced in config; not a security concern for this package. ai
dependencies unvetted-dep:@web3-storage/multipart-parser AI (dependencies): Multipart form parsing dependency; standard for Node.js HTTP handling. ai

Versions (showing 3 of 3)

Version Deps Published
2.17.4 7 / 3
2.17.3 7 / 3
2.17.2 7 / 3

v2.17.3

2 findings
HIGH Publisher changed: mjackson → GitHub Actions (on 2026-01-07) provenance

This version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.