@rushstack/node-core-library
Core libraries that every NodeJS toolchain project should use
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
rushstack-adminodspnpmoctogonzmicrosoft1es
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is intentionally listed as a runtime dep for TypeScript type declarations in this toolchain library; stable false positive for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are Microsoft/org accounts; odspnpm is a long-standing Microsoft-affiliated publisher with an excellent track record. Routine org cleanup, not a takeover signal. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is a standard Rush Stack monorepo placeholder version pattern used by this trusted publisher; not indicative of malicious intent. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Stub/placeholder 0.0.0 version from a well-established Rush Stack package; empty metadata is expected for this sentinel version pattern. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): microsoft1es is a standard Microsoft CI/CD service account routinely added to Microsoft OSS packages; not a suspicious actor for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): ajv/ajv-formats/ajv-draft-04 are the industry-standard JSON schema validation stack, replacing z-schema. Legitimate and well-understood dependency swap for this library. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage in Executable.js is a documented core feature of this node toolchain library; not a security concern. | ai | |
| dependencies | unvetted-dep:z-schema | AI (dependencies): z-schema is a legitimate JSON schema validator; its use here for schema validation utilities is expected and stable across versions of this package. | ai |
Versions (showing 51 of 161)
| Version | Deps | Published |
|---|---|---|
| 5.23.1 | 8 / 8 | |
| 5.23.0 | 8 / 8 | |
| 5.22.0 | 8 / 8 | |
| 5.21.0 | 8 / 8 | |
| 5.20.3 | 8 / 8 | |
| 5.20.2 | 8 / 8 | |
| 5.20.1 | 8 / 8 | |
| 5.20.0 | 8 / 8 | |
| 5.19.1 | 8 / 8 | |
| 5.19.0 | 8 / 8 | |
| 5.18.0 | 8 / 8 | |
| 5.17.1 | 8 / 8 | |
| 5.17.0 | 8 / 8 | |
| 5.16.0 | 8 / 8 | |
| 5.15.1 | 8 / 8 | |
| 5.15.0 | 8 / 8 | |
| 5.14.0 | 8 / 7 | |
| 5.13.1 | 8 / 7 | |
| 5.13.0 | 8 / 9 | |
| 5.12.0 | 8 / 9 | |
| 5.11.0 | 8 / 9 | |
| 5.10.2 | 8 / 9 | |
| 5.10.1 | 8 / 9 | |
| 5.10.0 | 8 / 9 | |
| 5.9.0 | 8 / 9 | |
| 5.8.0 | 8 / 9 | |
| 5.7.0 | 8 / 9 | |
| 5.6.0 | 8 / 9 | |
| 5.5.1 | 8 / 9 | |
| 5.5.0 | 8 / 9 | |
| 5.4.1 | 8 / 9 | |
| 5.4.0 | 8 / 9 | |
| 5.3.0 | 8 / 9 | |
| 5.2.0 | 8 / 9 | |
| 5.1.0 | 8 / 9 | |
| 5.0.0 | 8 / 9 | |
| 4.3.0 | 6 / 9 | |
| 4.2.1 | 6 / 9 | |
| 4.2.0 | 6 / 9 | |
| 4.1.0 | 6 / 9 | |
| 4.0.2 | 6 / 9 | |
| 4.0.1 | 6 / 9 | |
| 4.0.0 | 7 / 9 | |
| 3.66.1 | 7 / 9 | |
| 3.66.0 | 7 / 9 | |
| 3.65.0 | 7 / 9 | |
| 3.64.2 | 7 / 9 | |
| 3.64.1 | 7 / 9 | |
| 3.64.0 | 7 / 9 | |
| 3.63.0 | 7 / 9 | |
| 3.62.0 | 7 / 9 |